[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: lynx-dev ftp://user:address@hidden too much unencripted info

From: Larry W. Virden
Subject: Re: lynx-dev ftp://user:address@hidden too much unencripted info
Date: Mon, 8 Nov 1999 20:14:25 -0500 (EST)

It would be interesting to see the percentage of occurances for the
number of telnet/ftp URLs (are there others) where a password is a real
one being sent.  My guess - the occurances are going to be in the single
digits of total number of occurances of user/passwords
In many cases, there is no security problem with address@hidden in these
URLs.  If the ftp site is a public one, then the 'password' is a simply a
valid email address.  There's nothing wrong with having that there.
It's only URLs where the field is a real password that you have a problem.

So for this theoretically small number of cases, what is the goal that
is being strived for?  Protecting the password from whom?  Someone else
on the user's system, or someone on the net?  It is going to little
good to store the password encrypted on the local disk and then send
it decrypted across the internet, right?  And that's the format that
telnet/ftp/etc. expect, right?

So, if the open transmittal assumption is true (and I am pretty sure that
it is), then the only thing you are attempting to protect is your password
from other users.

Is proper permissions of the bookmark files not sufficient?  Is it that
you are wanting to share bookmark files with others, but you don't want them
to see your passwords in a few URLs?  Or is it that you want to share URLs
which have login and passwords, but not show that data to the users?
In the first case, just store (and perhaps lynx can help here) URLs with
logins and passwords in a separate file which cannot be accessed by anyone
other than the user.

If on the other hand, we are talking about a situation where you want people
to be able to use the URL but not see it, then perhaps rather than trying to
reengineer lynx, use could be made of lynxcgi, to look up data that is
stored encrypted (of course, you have to prompt the user for the password
to decrypt the data - otherwise, you would have to store the password in
an encrypted manner, which would require a password, etc...).
Larry W. Virden                 <URL: mailto:address@hidden>
<URL:> <*> O- 
Unless explicitly stated to the contrary, nothing in this posting should 
be construed as representing my employer's opinions.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]