On Wednesday, February 19, 2020 at 1:48:10 PM UTC+1, Walther Klust at Elego wrote: > > > > Am Mittwoch, 19. Februar 2020 08:19:11 UTC+1 schrieb Stefan: >> >> maybe a little more detailed: >> >> * this really isn't a security issue because this only works with your >> own Windows account. And if you can't secure that, *then* you have a >> security issue but not because of TSVN. >> > This feature gives an attacker a very easy way to view your passwords in > plaintext without the need to install any other tools. Only a few moments > of access to the desktop is required. This is not an unrealistic scenario. >
if an attacker has access to your desktop, then your security is already gone! Also, you don't need to install other tools: A simply copy/paste of a powershell script will do as well. > > >> * any tool can do it, so why remove it from TSVN? >> > Within a corporate environment the ability to install additional tools > usually is restricted. > We're dealing with source control here, major audience are developers. And developers always can install tools. > Why is this feature even in TSVN ? What purpose does it serve ? Should we > not strive towards keeping the features of a software minimal for better > maintainability and robustness ? > Why? Just search this list for "i forgot my password" and you'll know why. > > * it's undocumented, so you won't see those accidentally. Using the >> "advanced settings" to turn this feature off as you suggested isn't better >> in that regard. >> > Having undocumented features in a software should be avoided at least for > reasons of trust. And if this feature cannot be removed it should be at > least be configurable with default off to make it as hard as possible for > an attacker to misuse it. > > And you seriously think having it configurable in the advanced settings will make it more difficult for an attacker to use this feature than having it undocumented completely? Am I missing something here? > * have you checked your webbrowser lately? Every browser I know of lets >> you see all saved passwords somewhere in their settings pages. >> > The browsers used in a corporate environment usually can be > configured/hardened to prevent this behavior. > > Nope. They can be configured to never store passwords, but not to never reveal the stored ones. -- You received this message because you are subscribed to the Google Groups "TortoiseSVN" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/tortoisesvn/95d73bec-891f-4c9c-ae14-5bc68e9aebcf%40googlegroups.com.
