document known weaknesses
clach04 opened this issue · 0 comments
Known weaknesses and considerations.
Keywords; security, problems.
Some info in wiki:
- https://github.com/clach04/puren_tonbo/wiki/zip-format
- https://github.com/clach04/puren_tonbo/wiki/vimcrypt-format
Some info in #4
PT stores unencrypted text in memory. If a memory dump is automatically taken after a system or application crash or some of the memory is saved to a swap file, the sensitive information will be present on the disk. Sometimes it is possible to configure an operating system not to use a dump and swap files.
PT stores unencrypted passwords in memory
vim script/plugin/auto command (as of
Line 26 in 494c535
Doc command line arg exposure.
Doc or link to each encryption implementation with quick overview and possible weaknesses (some notes in #4):
- Tombo chi blowfish block mode
- pgp https://latacora.micro.blog/2019/07/16/the-pgp-problem.html?ref=words.filippo.io
- VimCrypt 1-2
- https://old.reddit.com/r/privacytoolsIO/comments/b7riov/aes_crypt_security_audit_1_serious_issue_found/ejvcym6/
For shelling out, command with same name as real command at head is path could wrap real binary/script and log passwords and/or plain text.
https://www.reddit.com/r/crypto/comments/100b0ed/how_much_of_a_security_risk_is_it_to_expose_a/
WIP ptwebcp uses/allows GET parameters for password for convenience of debugging and testing. Leaks passwords to browser history.