[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Credentials held unencrypted in memory during runtime

From: Stefan Küng <tortoisesvn_at_gmail.com>
Date: Tue, 12 Apr 2011 12:02:57 +0200

On Mon, Apr 11, 2011 at 22:58, Arthur Schwarz <aschwarz1309_at_att.net> wrote:
> This is a security issue. In some environments this is not allowed. All

Again: NO, it is NOT a security issue.
Repeat after me: this is NOT a security issue.

> security related data, the password being one example, are treated as
> transient in the sense that after the data is used, it is destroyed. One
> issue that this addresses is the paging of security related information into
> a page file. If the location where the password is stored is not deleted
> then it is available to other system users.

If you're system is configured so that users actually can open and
read the paging file you don't need to worry about security issues
anymore. Because you don't have any security at all and therefore
can't have any issues with it. Can't have an issue with something that
doesn't exist.

> Whether the software/computer are trusted is not an issue addressed by a
> 'process'. If the process dictates what is to be done with transient but
> sensitive data then the process specified procedure must be followed. If the
> process allows exceptions for certain machines, then those machines are
> excepted. We don't have to address the process.

So you're expecting a process to implement the security because your
system doesn't?
Doesn't work that way, sorry. If your system is not secure, all that a
process can do is provide "security by obscurity" - look it up if you
don't know what that is.


  oo  // \\      "De Chelonian Mobile"
 (_,\/ \_/ \     TortoiseSVN
   \ \_/_\_/>    The coolest Interface to (Sub)Version Control
   /_/   \_\     http://tortoisesvn.net
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2011-04-12 12:03:24 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.