Bug #2476
closedSECURITY ISSUE - Plain Text Dynamic DNS Account Password
0%
Description
Dynamic DNS account password is saved as plain text in XML config and backup files.
Updated by Chris Buechler almost 12 years ago
- Status changed from New to Rejected
by design, not a security issue.
http://doc.pfsense.org/index.php/Why_are_some_passwords_stored_in_plaintext_in_config.xml%3F
Updated by NOYB NOYB almost 12 years ago
Just because it is by design does not mean it is not a security issue. Saving account passwords in plain text is security issue. If it is by design, then the design is flawed and that is an issue that needs to be resolved.
Updated by Chris Buechler almost 12 years ago
read the link. There are no alternatives for such passwords.
Updated by NOYB NOYB almost 12 years ago
I did read the link. And it is still a security issues. Lack of interest in resolving it does not change the fact that it is a security issue and should be resolved.
Updated by Chris Buechler almost 12 years ago
we have the ability to encrypt backups, that's what you should do. It's impossible to securely encrypt such passwords in the running config.
Updated by NOYB NOYB almost 12 years ago
You have stated that it is not a security issue. It clearly is. Not doing anything about it does not change that.
Updated by Chris Buechler almost 12 years ago
you can call it anything you want, the reality is it's impossible to store such passwords in a hashed or encrypted manner that isn't trivially reversible, so encrypt your entire config.
Updated by NOYB NOYB almost 12 years ago
The point is that you should not be saying it is not a security issue. Rather that it is by design due to lack of a currently known (to the developers anyway) method of resolving.
Updated by Chris Buechler almost 12 years ago
It truly is impossible to securely resolve. You won't find anything that has a secure solution for encrypting such passwords. Please stop wasting our time.
Updated by NOYB NOYB almost 12 years ago
Please stop misclassifying it as not a security issue.
Sorry you feel your responses here are a waste of your time. If you feel that way just stop. Only you can decide whether or not to spend your time on something you consider to be a waste.
Updated by Chris Buechler almost 12 years ago
Insecurely storing your config can certainly be a security issue with every firewall and router. Literally every router and firewall in existence has the same "issue" of inability to securely store dyndns and similar passwords/keys that by their nature must be available in plain text during operation of the system. I'm done arguing a point you clearly can't grasp the impossibility of, move on to complaining to Cisco or someone else about the same, none are any different.
Updated by NOYB NOYB almost 12 years ago
As I’ve been pointing out and you don’t seem to be grasping, just because there is "seemingly" (by your claims anyway) not a solution, does not negate the fact that it is a security issue. That's like saying because you don't know how to lock your door that there is not a security issue.
I strongly disagree though that it is not possible encrypt these passwords in both the live and backed up config. In fact I am certain of it. But due to your closed mindedness and arrogance I’ll just continue keeping it to myself since you don’t seem interested to expand your knowledge and improve this pfSense product security.
Updated by Chris Buechler almost 12 years ago
This is the last time I'm going to say it - it's impossible to do in a way that isn't trivially reversible. There's a reason literally nobody does it. Please include code to prove me wrong on any further comments.