Am Mittwoch, 19. Februar 2020 08:19:11 UTC+1 schrieb Stefan: > > maybe a little more detailed: > > * this really isn't a security issue because this only works with your own > Windows account. And if you can't secure that, *then* you have a security > issue but not because of TSVN. > This feature gives an attacker a very easy way to view your passwords in plaintext without the need to install any other tools. Only a few moments of access to the desktop is required. This is not an unrealistic scenario.
> * any tool can do it, so why remove it from TSVN? > Within a corporate environment the ability to install additional tools usually is restricted. Why is this feature even in TSVN ? What purpose does it serve ? Should we not strive towards keeping the features of a software minimal for better maintainability and robustness ? * it's undocumented, so you won't see those accidentally. Using the > "advanced settings" to turn this feature off as you suggested isn't better > in that regard. > Having undocumented features in a software should be avoided at least for reasons of trust. And if this feature cannot be removed it should be at least be configurable with default off to make it as hard as possible for an attacker to misuse it. * have you checked your webbrowser lately? Every browser I know of lets you > see all saved passwords somewhere in their settings pages. > The browsers used in a corporate environment usually can be configured/hardened to prevent this behavior. -- You received this message because you are subscribed to the Google Groups "TortoiseSVN" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/tortoisesvn/d688ed72-98f6-4f77-bd94-72828c6a5a46%40googlegroups.com.
