Re: Windows Explorer may expose FTP passwords in plaintext
- From: "Shenan Stanley" <newshelper@xxxxxxxxx>
- Date: Sat, 19 Jul 2008 20:13:55 -0500
Brian Knittel wrote:
Stefan got the point: a computer should never display a previously
entered password in clear text, no matter what, and I have observed
Windows doing just that.
Has anyone else observed this behavior following the steps I
outlined?
Please add this additional step:
When you are viewing the remote FTP directory using Windows
Explorer, drag a file from the FTP directory onto your desktop. Then,
close
Explorer, reopen it, and type ftp:// into the Address window. (I
just noticed that the
passwords I see are all on URIs that have filenames)
Could you please test this, and if you have a positive result (that
is, you see the password), please post a response. It would help if
you noted your version of Windows and Service Pack level.
Or, if you have a negative result, that is, you drag a file to your
desktop, and the next time you open Explorer and type ftp:// into
the Address bar you DO NOT see the password, please also post a
response, if others haven't already done so for your particular
version+SP level of Windows.
Please, in the interest of keeping on topic, let's just focus on
this one behavior, and save discussions of network protocol
security, public computers and the like for another day.
I *know* it happens - because it's been doing that for years.
IE4, IE5, IE6 and I bet IE7.
It is not like this discussion is new. ;-)
Maybe where the password is displayed is (maybe) - but I am sure it has to
do with 'how the browser has to pass the credentials...' - so it may be a
direct result of the protocol rules of passing things in clear/plain text.
Internet Explorer 5, Netscape 4.61 Reveal FTP User Names and Passwords
http://www.astonisher.com/archives/bugnet/alerts/bugalert_81199.html
(1999)
Internet Explorer discloses FTP access credentials
http://www.heise-online.co.uk/security/Internet-Explorer-discloses-FTP-access-credentials--/news/94349
(2007)
Internet Explorer and Your Web Site's Privacy
http://blog.washingtonpost.com/securityfix/2007/08/ftp_files_expose_web_site_cred.html
(2007)
How to Enter FTP Site Password in Internet Explorer
http://support.microsoft.com/kb/135975
(OLD - since it mentioned Windows 95/98 - but last updated in 2007)
"NOTE: The user name and password you enter in the Login As dialog box are
passed through as plain text and may be displayed in the Internet Explorer
title bar or status bar while you are connected to the site.
Note that this is not a secure method of logging on, as the password is
viewable in plain text. If you require additional security, use the FTP
client (Ftp.exe) that is included in your version of Windows 95 or Windows
98."
Does FireFox do it?
Opera?
Any other browsers?
Or do some browsers not even do FTP because of the weak security and how
they would have to pass the username/password?
--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html
.
- Follow-Ups:
- Re: Windows Explorer may expose FTP passwords in plaintext
- From: Brian Knittel
- Re: Windows Explorer may expose FTP passwords in plaintext
- References:
- Windows Explorer may expose FTP passwords in plaintext
- From: Brian Knittel
- Re: Windows Explorer may expose FTP passwords in plaintext
- From: Brian Knittel
- Windows Explorer may expose FTP passwords in plaintext
- Prev by Date: Re: avg 8.0
- Next by Date: Re: Computer with Security from a company
- Previous by thread: Re: Windows Explorer may expose FTP passwords in plaintext
- Next by thread: Re: Windows Explorer may expose FTP passwords in plaintext
- Index(es):
Relevant Pages
|
