From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.user/3304 Path: news.gmane.org!not-for-mail From: "Steven E. Harris" Newsgroups: gmane.emacs.gnus.user Subject: Re: encrypting .authinfo? Date: Sat, 20 Dec 2003 20:29:23 -0800 Organization: SEH Labs Message-ID: <83r7yy23q4.fsf@torus.sehlabs.com> References: <4nd6amuhne.fsf@collins.bwh.harvard.edu> <831xr02pvp.fsf@torus.sehlabs.com> NNTP-Posting-Host: main.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: sea.gmane.org 1138669467 18472 80.91.229.2 (31 Jan 2006 01:04:27 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Tue, 31 Jan 2006 01:04:27 +0000 (UTC) Original-X-From: nobody Tue Jan 17 17:32:00 2006 Original-Path: quimby.gnus.org!newsfeed1.e.nsc.no!nsc.no!nextra.com!uio.no!feed.news.tiscali.de!newsfeed.stueberl.de!news2.telebyte.nl!newsrouter.london1.eu.level3.net!level3eu!newsfeed.mathworks.com!panix!not-for-mail Original-Newsgroups: gnu.emacs.gnus Original-NNTP-Posting-Host: dialup-67.72.133.208.dial1.sandiego1.level3.net Original-X-Trace: reader2.panix.com 1071981199 25880 67.72.133.208 (21 Dec 2003 04:33:19 GMT) Original-X-Complaints-To: abuse@panix.com Original-NNTP-Posting-Date: Sun, 21 Dec 2003 04:33:19 +0000 (UTC) User-Agent: Gnus/5.1003 (Gnus v5.10.3) XEmacs/21.4 (Rational FORTRAN, cygwin32) Cancel-Lock: sha1:C+ZAgKny3y7JAHOhPn3tnQtqB/U= Original-Xref: bridgekeeper.physik.uni-ulm.de gnus-emacs-gnus:3445 Original-Lines: 34 X-Gnus-Article-Number: 3445 Tue Jan 17 17:32:00 2006 Xref: news.gmane.org gmane.emacs.gnus.user:3304 Archived-At: Stainless Steel Rat writes: > If you are genuinely concerned about the security of your NNTP > passwords then you should not use a .authinfo file at all, or keep > it on removable media like a USB key fob (which is also great for > storing your PGP/GPG keys and other important stuff). That's a good point. My main concern is that if someone steals my laptop and is able to obtain Administrator-level access, he can override any restrictive file permissions I have established. The .authinfo file extends the range of the thief's acquisition. Not only does he have my files in hand, but he now has access to my various remote accounts as well. Encrypting .authinfo with GPG would put me at ease. The problem is that I don't want to have to manually decrypt it to a file every time I start Gnus, then clean up the plain text copy afterward. > And by the way, that may be irrelevant. Unless you use NNTP over > SSL or through SSH tunnels, your credentials are sent in the clear > for any packet sniffer to see. This has been bothering me. My ISP's news server requires login credentials. The nice aspect is that I can use the server from any connection. The dangerous aspect is as you note: my account password, useful to log into the mail server or into my shell account, is being sent around as plain text. It would be better to have a separate password established just to cover news server logins. If that password gets sniffed, the only loss is another user logging into the news server under my guise. He would not have all my keys in hand. Perhaps I should take this up with my ISP. -- Steven E. Harris