Haui's bytes

news, diary, journal, whatever

Security through obscurity

From the variety of available email clients, I found Claws Mail to be my favorite (maybe ‘cause after 6 years of Linux, I still haven’t found the time to configure mutt...). Anyway, in today’s posting I will not praise the advantages of Claws Mail, but rant a little about one of its “security” features. Like most programs, Claws Mail stores its configuration in a separate directory in the user’s home folder. This folder contains, among other things, all account information. Since Claws Mail doesn’t offer any kind of password manger or “master password” one would think, that the passwords for the mail accounts are stored in plain text. However, the accountrc file contains base64-encoded strings of DES-encrypted passwords. At this point, one should wonder how the program can encrypt the passwords without asking the user for a password. The solution is simple - the password is hardcoded into the binary. With this knowledge it’s obvious that this approach is a clear case of security through obscurity. Given the accountrc file and the binary everyone can easily decrypt the passwords, i.e. with this standalone C program. If you’re asking for more security than restrictive file permissions for your home folder can provide, you still got several options. Patch Claws Mail’s sourcecode in order to use a real password safe for the storage of the passwords, use file encryption (either for your complete home folder, or just for ~/.claws-mail, e.g. with encfs), or switch to another email client.