DNS and cats: Password leaks are security holes

To: Simon Valiquette <v.simon@ieee.org>
Cc: debian-security@lists.debian.org
Subject: DNS and cats: Password leaks are security holes
From: "W. Martin Borgert" <debacle@debian.org>
Date: Fri, 29 Aug 2008 05:33:30 +0200
Message-id: <[🔎] 20080829033330.GA13181@gardel.xinocat.com>
In-reply-to: <[🔎] 48B74575.9050909@ieee.org>
References: <[🔎] 9b0752e70808271228j33d116b6m8c5d19af201ee591@mail.gmail.com> <20080827203237.GB4739@ngolde.de> <[🔎] 9b0752e70808280003y3d40d0bjabd62e6a75c3071c@mail.gmail.com> <[🔎] 48B65589.5080308@debian.org> <[🔎] 9b0752e70808280405m2aafc310r883526c6ee65e21c@mail.gmail.com> <[🔎] 20080828113820.GA10008@johndoe666.info> <[🔎] 48B74575.9050909@ieee.org>

On 2008-08-28 20:40, Simon Valiquette wrote:
> That's obviously true, but that doesn't cover the case when logs are  
> copied to a second system with sysadmins that doesn't have access to the  
> first server.  And if someone use the standard 514 syslog port instead of 
> using an SSL tunnel or the newer syslog-tls on port 601, well you get  
> cleartext password on the wire (yes, people sometime make stupid 
> mistakes).

I once typed a password accidently in address line of a web
browser, which popped up in the wrong moment. This resulted in a
DNS query for my password. I hereby declare it a security bug,
that the web browser tries to resolve my password! :~)

> Personally, I would prefer never to see password stored in clear text  
> anywhere, whatever the file permissions are.

We're talking here about a password that has been typed
accidently for other information. We're not talking about a
regular password store. If the password is good, nobody will
assume a password, but think, that a cat ran over the keyboard.

Reply to:

Follow-Ups:
- Re: DNS and cats: Password leaks are security holes
  - From: Simon Valiquette <v.simon@ieee.org>

References:
- Password leaks are security holes
  - From: "Johan Walles" <johan.walles@gmail.com>
- Fwd: Password leaks are security holes
  - From: "Johan Walles" <johan.walles@gmail.com>
- Re: Fwd: Password leaks are security holes
  - From: "Giacomo A. Catenazzi" <cate@debian.org>
- Re: Fwd: Password leaks are security holes
  - From: "Johan Walles" <johan.walles@gmail.com>
- Re: Fwd: Password leaks are security holes
  - From: "A. Dreyer" <ml10038@adreyer.com>
- Re: Password leaks are security holes
  - From: Simon Valiquette <v.simon@ieee.org>

Prev by Date: Please add Debian Security Advisory info for CVE-2008-2812
Next by Date: Re: DNS and cats: Password leaks are security holes
Previous by thread: Re: Password leaks are security holes
Next by thread: Re: DNS and cats: Password leaks are security holes
Index(es):
- Date
- Thread