There is no way to secure the file using the file system if I move it to the new drive. There are about five dozen sites in the XML file in question. For instance, in my case, I was setting up FileZilla on what has to be a FAT32 USB Flash drive (and hence there is no file-system security). I call this a bug because it is a 'misfeature' that is so severe as to render the program unusable for some purposes. Apparently the bug has been there for years. There is a long discussion elsewhere about this. Like another person here, I registered specifically to put in this bug. In OS X the same functionality is provided via the Keychain API in the functions SecKeychainAddGenericPassword and SecKeychainFindGenericPassword. Net the class provides managed access to DPAPI so that PINVOKE marshalling is not necessary.Īlternitively sitemanager.xml could be entirely encrypted using AES with the passwords stored in the encrypted file, however the encryption key should be computer/user specific and stored via DPAPI.Įither route comes with drawbacks however - it makes migrating settings to new installs more difficult (can't just copy sitemanager.xml and drop it in the %appdata% directory of the new install) so that is a drawback to be aware of. They should be used with the optional entropy to further increase the difficulty in other applications extracting that information. These functions will handle encryption and key management to store the passwords. Specifically, the two functions of interest are CryptProtectData: and CryptUnprotectData: (VS.85).aspx Windows provides an easy mechanism to encrypt passwords using DPAPI: This is generally bad security practice, as any malware that is aware of filezilla (as many are aware of and utilize stored passwords in Windows Explorer FTP) can harvest FTP credentials and upload malicious files to any stored webserver FTP addresses. For Windows Clients, in %appdata%\filezilla\sitemanager.xml the passwords are stored plaintext.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |