From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.user/3301
Path: news.gmane.org!not-for-mail
From: Simon Josefsson <jas@extundo.com>
Newsgroups: gmane.emacs.gnus.user
Subject: Re: encrypting .authinfo?
Date: Sat, 20 Dec 2003 09:16:44 +0100
Message-ID: <iluu13vewer.fsf@latte.josefsson.org>
References: <4nd6amuhne.fsf@collins.bwh.harvard.edu> <m31xr01ex3.fsf@peorth.gweep.net>
 <831xr02pvp.fsf@torus.sehlabs.com> <m3smjgkl11.fsf@peorth.gweep.net>
NNTP-Posting-Host: main.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: sea.gmane.org 1138669466 18465 80.91.229.2 (31 Jan 2006 01:04:26 GMT)
X-Complaints-To: usenet@sea.gmane.org
NNTP-Posting-Date: Tue, 31 Jan 2006 01:04:26 +0000 (UTC)
Original-X-From: nobody Tue Jan 17 17:32:00 2006
Original-Path: quimby.gnus.org!not-for-mail
Original-Newsgroups: gnu.emacs.gnus
Original-NNTP-Posting-Host: fnatte.nada.kth.se
Original-X-Trace: quimby.gnus.org 1071908220 30103 130.237.226.103 (20 Dec 2003 08:17:00 GMT)
Original-X-Complaints-To: usenet@quimby.gnus.org
Original-NNTP-Posting-Date: Sat, 20 Dec 2003 08:17:00 +0000 (UTC)
User-Agent: Gnus/5.1003 (Gnus v5.10.3) Emacs/21.3.50 (gnu/linux)
Cancel-Lock: sha1:XCoVDjoRm/PoH6Pp+99Gj1opqBQ=
Original-Xref: bridgekeeper.physik.uni-ulm.de gnus-emacs-gnus:3442
Original-Lines: 26
X-Gnus-Article-Number: 3442   Tue Jan 17 17:32:00 2006
Xref: news.gmane.org gmane.emacs.gnus.user:3301
Archived-At: <http://permalink.gmane.org/gmane.emacs.gnus.user/3301>

Stainless Steel Rat <ratinox@peorth.gweep.net> writes:

> * Steven Elliot Harris <seharris@raytheon.com>  on Fri, 19 Dec 2003
> | I'll bite. If .authinfo contains several passwords for different
> | servers, it's more of a password "vault" with a single key. For every
> | password I add to the unencrypted file, I'm adding risk of exposure in
> | trade for convenience. Adding a password to encrypt the file restores
> | a single point of security to multiple points of convenience.
>
> .authinfo is mostly known or easilly obtained plain text, including the
> machine, login and password keywords, your login name and the names or IP
> addresses of your NNTP servers.  This makes it vulnerable to known plain
> text attacks.  Encrypting .authinfo will keep out keep out casual snoopers,
> but you can already do that with proper file permissions.  It will not stop
> a concerted attack.

Good tools are not vulnerable to known plain text attacks.  If
crypt++.el support GnuPG, then that should suffice, but I'm not sure
if crypt++.el handle `insert-file-contents' which is what netrc.el
uses.  Perhaps netrc.el has to be changed slightly to support this.

> And by the way, that may be irrelevant.  Unless you use NNTP over SSL or
> through SSH tunnels, your credentials are sent in the clear for any packet
> sniffer to see.

Exactly.