Re: Credentials held unencrypted in memory during runtime
From: David Huang <khym_at_azeotrope.org>
Date: Tue, 12 Apr 2011 15:29:50 -0500
On Apr 12, 2011, at 2:33 PM, Ron Wilson wrote:
> On Tue, Apr 12, 2011 at 3:12 PM, David Huang <khym_at_azeotrope.org> wrote:
So the next day, I would have to type in my credentials again? Sure, I suppose that could be considered more secure, but there's always the tradeoff between security and usability.
However, I thought Stefan Küng's question was what could be done differently to make things more secure, given the current requirement that telling TSVN to save your password means it's saved indefinitely (i.e., until you manually tell it to clear the saved passwords). Recall that this discussion started because someone thought it was a security hole that you could use a debugger to get a cleartext password out of TortoiseProc, and that Stefan said that it'd be easier to just get them from the place where SVN remembers its passwords. Then you said that this meant that SVN's password saving wasn't implemented correctly. From what I can see, it's implemented the best it can be, given the requirements. If you want to change the requirements to say that SVN can only cache credentials for a limited time, then of course, things would have to be implemented differently.
------------------------------------------------------
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
|
This is an archived mail posted to the TortoiseSVN Users mailing list.
This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.