Opened 13 years ago

Closed 12 years ago

#1276 closed Enhancement (fixed)

encrypt the password to access web client interface using SHA-2

Reported by: gothicx Owned by: charles
Priority: Normal Milestone: 1.60
Component: Transmission Version: 1.33
Severity: Normal Keywords:
Cc:

Description

Hi!

I checked the file .config/transmission/settings.json and the rpc-password is in plain-text. I think it's important to encrypt it, because if someone do a grep searching for "password" it will show it.

Thanks

Attachments (3)

crypt.diff (7.4 KB) - added by charles 13 years ago.
rough draft patch that covers libT, daemon, and gtk+.
crypt-updated.diff (5.7 KB) - added by Elbandi 12 years ago.
update to 1.5 beta1
crypt-updated-again.diff (5.8 KB) - added by charles 12 years ago.
revised again -- sync with trunk r8022

Download all attachments as: .zip

Change History (19)

Changed 13 years ago by charles

rough draft patch that covers libT, daemon, and gtk+.

comment:1 Changed 13 years ago by charles

I've added a diff to implement this in the daemon & gtk clients, as well as in the backend. I'll hold off on commiting it until livings124's had a chance to weigh in on what he'd like to do on the mac end.

comment:2 Changed 13 years ago by livings124

The Mac code stores this in the Keychain already, so as long as we're still supposed to give the password to libt unencrypted, it should be fine.

comment:3 Changed 12 years ago by charles

  • Type changed from Bug to Enhancement

comment:4 Changed 12 years ago by Gimp

  • Owner changed from Gimp to charles

comment:5 Changed 12 years ago by livings124

  • Component changed from Web Client to Transmission

This seems to be something each interface would have to implement (Mac already has this implemented with Keychains).

comment:6 Changed 12 years ago by Biiaru

Perhaps it would be a bit smarter of an idea to use sha2? gothicx, if you aren't aware, md5 has been broken. Repeatedly.

comment:7 Changed 12 years ago by gothicx

Yes.. it's broken. SHA-1 is also broken, so SHA-2 should be the better choice for now.

comment:8 Changed 12 years ago by Biiaru

  • Summary changed from Please encrypt with MD5 the password to access web client interface to Please encrypt the password to access web client interface using SHA-2

Changing summary. This is a better idea, IMO.

comment:9 Changed 12 years ago by charles

so, who wants to update the patch? :)

Changed 12 years ago by Elbandi

update to 1.5 beta1

Changed 12 years ago by charles

revised again -- sync with trunk r8022

comment:10 Changed 12 years ago by charles

  • Milestone changed from None Set to 1.60
  • Severity changed from Major to Normal

@BentMyWookie?: all the mac client needs to work with this patch is to ensure that the password passed in via tr_sessionSetRPCPassword() and TR_PREFS_KEY_RPC_PASSWORD is encrypted. This is done by passing the plaintext through tr_crypt()...

comment:11 Changed 12 years ago by livings124

This patch is fine for me, commit it when ready.

comment:12 Changed 12 years ago by livings124

  • Summary changed from Please encrypt the password to access web client interface using SHA-2 to encrypt the password to access web client interface using SHA-2

comment:13 Changed 12 years ago by livings124

  • Resolution set to fixed
  • Status changed from new to closed

comment:14 Changed 12 years ago by jhujhiti

  • Resolution fixed deleted
  • Status changed from closed to reopened

This is so, so wrong. A patch that actually hashes the password is coming soon. And for clarity:

  1. SHA-2 is a name for a collection of "stronger" hashing mechanisms such as SHA-256 and SHA-512.
  2. Neither MD5 nor SHA-1 have been "broken." Hashes, by definition, cannot be reversed. What has happened is that ways of creating collisions quickly have been discovered. Salting a password hash solves this.

comment:16 Changed 12 years ago by jhujhiti

  • Resolution set to fixed
  • Status changed from reopened to closed

Fixed in r8080. Anyone who ran trunk or a nightly between r8072 and r8080 will need to reset their password from the Preferences dialog or directly in settings.json. When editing settings.json, you can enter a cleartext password and it will be hashed when Transmission next writes the file.

Note: See TracTickets for help on using tickets.