#46 Access to any database without password knowledge possible

closed
nobody
None
5
2007-09-06
2007-09-06
Transcendence
No

Hello,

very interesting software.

Just one thing - Version 0.6.4 (Win) here on Win XP Pro:

It is possible to open and access *any* password protected database without knowing it's password by simply cancelling the password dialog.

Regards
T.

Discussion

  • Logged In: YES
    user_id=609294
    Originator: NO

    ...but try to export a private key.
    It will fail as long as you cannot provide a password to decrypt the key.

    (This is also mentioned in the documentation as intended behaviour)

    Since in the database only the private keys are encrypted (3des with the default password),
    the application shows everything you could see when opening the database with for example a hexeditor.

    So this is a feature:
    If you cancel the password dialog, you will be prompted for the password for every security related
    operation like signing (creating) CSRs or certificates, importing or exporting private keys, creating revokation lists, etc.

     
    • status: open --> closed
     
  • Transcendence
    Transcendence
    2007-09-06

    Logged In: YES
    user_id=1884366
    Originator: YES

    Indeed, it is mentioned in the documentation and it works like you describe it. My fault - I simply overlooked that part.

    Sorry and thanks for your explanation.

    Regards
    T.