Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
Skayo85686yUnfortunately the image is blurry... Here's a high quality version: https://s22.postimg.cc/iel56kdtt/...
-
Skayo85686yOf course your GitHub account wont be the target of attackers, but it still hurts me :(
-
Skayo85686y<@Alice> <@j4cobgarby>
I'm not that stupid...
Of course I replaced the token with an automatically generated string.
But you can try if you want :) -
Skayo85686yHaha next patient is FileZilla. FTP passwords are "encrypted" in base64...
CAN DESKTOP APPLICATIONS FUCKING FINALLY PROPERLY ENCRYPT SHIT FFS -
@j4cobgarby Encrypted. Seems like a logical choice, but you can't set a password for that application. Encrypting with a standard key doesn't make sense either.
-
Skayo85686y<@PrivateGER> <@j4cobgarby>
One way, I just thought of, could be encrypting the password/token with various things that only exist on the users computer. Like file paths and stuff.
Look here:
https://howtogeek.com/70146/... -
@Skayo Then literally anyone could reverse that algo and it'd be just as bad as plaintext.
-
Skayo85686yBtw DevRantron does store your devRant API key in plain text as well.
<@tahnik>
I suggest encrypting your save files with the mac address and machine-uuid as pepper. Like here:
https://github.com/michaeldegroot/...
Adds a bit of security at least...
I don't have to remember you that you're users are a bunch of security-concerned developers :) -
Skayo85686y<@Alice>
You're right but I gotta say that the config files for my projects are not as important as for example my FTP passwords or my GitHub Account! -
Kimmax109876yThere's no point in "encrypting" oauth or api tokens, as long as these can be automatically decrypted again. Using client info doesn't change that at all, because anyone who can get hold of the config files or similar can also just make a dump of the system information. A file tree would take a second more, but is still very doable.
Storing it in anything else than in plain is just obfuscation that can be undone, the easiest way would be to attach some sort of debugger and hook into the function that uses the token. Dump the variable and you're done. Or pull a memory dump etc.
It doesn't matter, if you start it, there's a way to get the token out
Also that's why you can easily revoke and / or rate limit / restrict oauth tokens
You can spent a lot of time and money making the process harder, or you define a compromised machine as doomed anyways and focus on the things you actually can control -
No amount of encryption or encoding can protect creds in a config file. Because the key must be stored on the PC. If you can read the config, then you can find the key and decrypt. Less easy but no more secure. The real solution is use a key chain or an HSM.
-
Root797246yAdd a password to the application and proceed as normal. As long as the user doesn't store the password on the same machine, you're good.
Anything else is just reversible obfuscation, as others have pointed out. -
Kimmax109876y@Root exactly. That's why I said "auto a decrypt". If you encrypt with a key that's provided on demand, eg loaded from usb or entered by the user and otherwise detached from the pc, the information should really be safe. Except when the app is running and loaded the decrypted stuff into memory, as @PrivateGER said a memory dump would fuck you over
There even where experiments where they rapidly frosted memory, removed it from the host and kept it frosted over several hours and later revealed part of its contents when heated up again -
mundo0349116yYou all know this shit is in your computer right?
So it is not about how secure the software is, it is about how secure your computer is.
Software needs to save sensite shit in your computer, most of the time you don't even know where, but you can be sure you have it somewhere.
So stop wining, secure your computer. -
@Skayo yea honestly its not really worth to encrypt or encode in any way the token. The token actually IS it's own security mechanism. It allows the app to perform what it needs WITHOUT storing actual login creds. It's generated and not user created, unique, and easily revoked.
Related Rants
Checked the GitKraken save files for fun (kind of a hobby) and oh well.... what a wonder:
They store your fucking GitHub access token in "plain text" in a hex file as you can see in the image.
I checked the token and it works. Wow.
Good job GitKraken ✔
That happens when you're closed source...
rant
gitkraken