Report Tool Questions

Hello,

Then report is posted is it check for duplicates? If not, the MD5 digest on stack trace will be helpfully. Before posting IDEA must check that the same MD5 for this build not posted yet.

Where IDEA save passwords for proxy and ITN? This is my domen password, and i would not like to have store it in some files. Also it may to be security issue - some "bad" plugin may read this and try to send to "badguy".

Since 926 ER settings expected in IDE settings, but it was here before. Where i can find it?

Thanks!

10 comments
Comment actions Permalink

Some no good sound...
My password is stored in file config/options/other.xml
I decode it quickly by http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/Default.aspx

So, it realy security issue, please add checkbox for saving propmt passwords in other.xml file.

Password encode for BASE64 algoritm is not good as password storing. Please use encrition SHA algorihtm with secret key. Password will encoded by open key (some file in config directory) must be readed only for decription with secrect key - some binary (for example random classfile) file hidden in IDEA core.

So, now if you would like to have safe computer, please erase section after error send:

]]>


Thanks!

0
Comment actions Permalink

Well, that's an issue about convenience. I agree that the automatic saving must be
optional (off by default) and maybe even bundled with a message that this might
introduce a security problem.

However, there is no 100% secure way to encrypt locally stored passwords to make
it safe against spyware. I don't think it will help anything if there is some sort of security
by obscurity (keys hidden in code, special algorithms, etc.) implemented, because if
somebody really wants to steal passwords he will find the hidden keys and/or algorithm.

On the other hand, base64 is ok to prevent somebody getting the password by just looking
at it. It's basically the same sort of protection that .cvspass files have.

But I agree, storing passwords without user-approval is not a good style. We need a
switch to control the saving of login info for ITN and proxy for those who have security
concerns. Why not file a SCR in tracker?

Sascha


BTW: $ echo OikgeW91IGFyZSByZWFseSBoYWNrZXI= | openssl base64 -d
Good one :)

Alexey Efimov wrote:

Some no good sound...
My password is stored in file config/options/other.xml
I decode it quickly by http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/Default.aspx

>

So, it realy security issue, please add checkbox for saving propmt passwords in other.xml file.

>

Password encode for BASE64 algoritm is not good as password storing. Please use encrition SHA

algorihtm with secret key. Password will encoded by open key (some file in config directory) must be
readed only for decription with secrect key - some binary (for example random classfile) file hidden
in IDEA core.
>

So, now if you would like to have safe computer, please erase section after error send:

>

<component name="ErrorReportConfigurable">
<option name="ITN_LOGIN" value="aefimov" />
<option name="ITN_PASSWORD_CRYPT" value="OikgeW91IGFyZSByZWFseSBoYWNrZXI=" />
<option name="EMAIL" value="" />
<option name="SHOW_MORE_INFO" value="true" />
<option name="USE_HTTP_PROXY" value="true" />
<option name="PROXY_HOST" value="192.168.0.55" />
<option name="PROXY_PORT" value="port" />
<option name="PROXY_AUTHENTICATION" value="true" />
<option name="PROXY_LOGIN" value="spklabs\aefimov" />
<option name="PROXY_PASSWORD_CRYPT" value="OikgeW91IGFyZSByZWFseSBoYWNrZXI=" />
</component>

>
>

Thanks!



0
Comment actions Permalink

I post SCR in tracker :)


0
Comment actions Permalink

Well, that's an issue about convenience. I agree that
the automatic saving must be
optional (off by default) and maybe even bundled with
a message that this might
introduce a security problem.

However, there is no 100% secure way to encrypt
locally stored passwords to make
it safe against spyware. I don't think it will help
anything if there is some sort of security
by obscurity (keys hidden in code, special
algorithms, etc.) implemented, because if
somebody really wants to steal passwords he will find
the hidden keys and/or algorithm.

On the other hand, base64 is ok to prevent somebody
getting the password by just looking
at it. It's basically the same sort of protection
that .cvspass files have.


There is a HUGE difference between storing the passwords with a one-way encryption, and storing them in base64 encoding.

Further, when the password is sent to the server, it should be sent in its encrypted form, and compared in its encrypted form.

In other words, outside of the widget where the password was typed in, it should never be stored or transmitted in anything other then a 1-way encrypted form.

Mike

0
Comment actions Permalink

True, but only for the ITN password. The proxy password has to be sent in
plaintext (well, also base64'ed in some way) which means no one-way encryption
for the proxy password and this is the biggest issue IMHO. I can choose my ITN
password to be unique; if it gets stolen, the biggest problem could be that someone
posts some crap using it; no big deal probably. The proxy password is probably
a 'real' life password that might be more interesting for an attacker, but cannot be
secured as a one-way hash.

If this raises security concerns for somebody, the best is not to store the password
on disk which is unfortunately less convenient. Any obscure magic to encrypt the
password is only slightly better than base64 - it can be reverse-engineered anyway.

Also, one-way encryption only solves the problem that the password can be read -
not the problem that the password/hash can be used to connect to a service. If
somebody spys out the hash of your password he can probably do the same as if he
got it as plaintext.

I just wanted to say that we shouldn't require IDEA to become some kind of password-
safe. If I feel the risk is non-existent or low, it is fine for me when the passwords are
saved in any format that is not directly readable. If the risk is high, I have no other
possibility than not to save the passwords. There's nothing in between IMHO.

Sascha


Michael Kirby wrote:

There is a HUGE difference between storing the passwords with a one-way encryption, and storing

them in base64 encoding.
>

Further, when the password is sent to the server, it should be sent in its encrypted form, and

compared in its encrypted form.
>

In other words, outside of the widget where the password was typed in, it should never be stored

or transmitted in anything other then a 1-way encrypted form.
>
>

Mike



0
Comment actions Permalink

Michael Kirby wrote:

There is a HUGE difference between storing the passwords with a one-way encryption, and storing them in base64 encoding.

Further, when the password is sent to the server, it should be sent in its encrypted form, and compared in its encrypted form.

In other words, outside of the widget where the password was typed in, it should never be stored or transmitted in anything other then a 1-way encrypted form.


Actually, you're wrong. The password has to be encrypted at the server to be
compared with the stored password, otherwise there's no real security:
anyone could intercept your encrypted password, submit that and they'd be
logged in as you. Not good.

The real solution is to send the plaintext password over an encrypted
channel (an SSL connection, for example). That way you protect the password
in transit and the server can sensibly authenticate you.

To get back on topic (sort-of), I think establishing SSL connections just
for error reporting is overkill. As long as you're sensible (i.e. -don't-
use the same password for IntelliJ and your bank account), you really don't
have much to worry about.

Cheerio,
Vil.
--
Vilya Harvey
vilya.harvey@digitalsteps.com / digital steps /
(W) +44 (0)1483 469 480
(M) +44 (0)7816 678 457 http://www.digitalsteps.com/

Disclaimer

This e-mail and any attachments may be confidential and/or legally
privileged. If you have received this email and you are not a named
addressee, please inform the sender at Digital Steps Ltd by phone on
+44 (0)1483 469 480 or by reply email and then delete the email from
your system. If you are not a named addressee you must not use,
disclose, distribute, copy, print or rely on this email. Although
Digital Steps Ltd routinely screens for viruses, addressees should
check this email and any attachments for viruses. Digital Steps Ltd
makes no representation or warranty as to the absence of viruses in this
email or any attachments.

0
Comment actions Permalink

Michael mean that sending to ITN site only digest of password, but not
password itself. It good practice, becouse password not stored/sended in
plain text, only uniq checksum of password (as certificate signature) was
used.

The SSL channel - is SHA with/without secret key encription packets protocol
over HTTP, it realized already by Java SSE.
But here SSL not needed, we wan't to send some private data.

So, i like if IDEA will send MD5 or SHA digests to authorize me on ITN. MD5
is forced now oficialy and depricated as old encription algoritm, so SHA is
good :)

Thanks!
--
Alexey Efimov, Software Engineer
Sputnik Labs,
http://www.spklabs.com


0
Comment actions Permalink

1) ER check MD5 hash of full stack trace.

2) In the next EAP build will be an option to not save passwords.

3) "Bad" plugin is an another important and unsolved question. It's possible to create a destructive plugin
that can remove all files on disk... And we haven't a way to prevent such distruction.

"Alexey Efimov" <aefimov@spklabs.com> wrote in message news:7156233.1063960319834.JavaMail.itn@is.intellij.net...

Hello,

>

Then report is posted is it check for duplicates? If not, the MD5 digest on stack trace will be helpfully. Before posting IDEA

must check that the same MD5 for this build not posted yet.
>

Where IDEA save passwords for proxy and ITN? This is my domen password, and i would not like to have store it in some files. Also

it may to be security issue - some "bad" plugin may read this and try to send to "badguy".
>

Since 926 ER settings expected in IDE settings, but it was here before. Where i can find it?

>

Thanks!



0
Comment actions Permalink

Thank you!

About plugin security.
Did you use SecureClassLoader? For loading plugins jars you can use this
classloader. In method SecureClassLoader.getPermissions(CodeSource
source):PermissionCollection you can return set of only permissions for
plugin class. For example, you can deny access to other.xml file in config
directory etc.
I not sure that it work, but i can try to do this.

Thanks!

--
Alexey Efimov, Software Engineer
Sputnik Labs,
http://www.spklabs.com


0
Comment actions Permalink

We don't use SecureClassLoader.
I think plugin sybsystem should be redesigned for next IDEA version cause current implementation
has some weakness...

Thank you for your suggestion. We'll consider it.


"Alexey Efimov" <aefimov@spklabs.com> wrote in message news:bkorab$5m1$1@is.intellij.net...

Thank you!

>

About plugin security.
Did you use SecureClassLoader? For loading plugins jars you can use this
classloader. In method SecureClassLoader.getPermissions(CodeSource
source):PermissionCollection you can return set of only permissions for
plugin class. For example, you can deny access to other.xml file in config
directory etc.
I not sure that it work, but i can try to do this.

>

Thanks!

>

--
Alexey Efimov, Software Engineer
Sputnik Labs,
http://www.spklabs.com

>
>


0

Please sign in to leave a comment.