[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Credentials held unencrypted in memory during runtime

From: Simon Large <simon.tortoisesvn_at_gmail.com>
Date: Tue, 12 Apr 2011 11:11:45 +0100

On 12 April 2011 11:02, Stefan Küng <tortoisesvn_at_gmail.com> wrote:
> On Mon, Apr 11, 2011 at 22:58, Arthur Schwarz <aschwarz1309_at_att.net> wrote:
>> This is a security issue. In some environments this is not allowed. All
>
> Again: NO, it is NOT a security issue.
> Repeat after me: this is NOT a security issue.
>
>
>> security related data, the password being one example, are treated as
>> transient in the sense that after the data is used, it is destroyed. One
>> issue that this addresses is the paging of security related information into
>> a page file. If the location where the password is stored is not deleted
>> then it is available to other system users.
>
> If you're system is configured so that users actually can open and
> read the paging file you don't need to worry about security issues
> anymore. Because you don't have any security at all and therefore
> can't have any issues with it. Can't have an issue with something that
> doesn't exist.

But if you request a chunk of memory from the system does the OS clean
out any previous content before it gives it to you? I guess if it
doesn't then the security issue is with the OS not the app.

Simon

-- 
:       ___
:  oo  // \\      "De Chelonian Mobile"
: (_,\/ \_/ \     TortoiseSVN
:   \ \_/_\_/>    The coolest Interface to (Sub)Version Control
:   /_/   \_\     http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2719049
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2011-04-12 12:11:53 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.