funchords Posted July 22, 2007 Report Posted July 22, 2007 I noticed that my WebUI password was stored in plain text in %APPDATA%\utorrent\settings.dat ... I did not test it, but I suppose if I used a work proxy with authentication, my password there would be stored in plain text, too.Both cases, the 2nd case especially, is a concern. In my former company, it would result in a security ban of the uTorrent client on any machine controlled by the company IT (even if the application was only used at home). Suggestion: The WebUI case could be resolved with a warning message that the password is not going to be stored in a secure manner, and that they should not use the same username/password that is used on any other sensitive accounts. However, the better solution is to encrypt or obfuscate that password. The proxy username/password is less flexible. Some level of encryption or obfuscation is needed for the password part of proxy account credentials.This would be a new feature, and not a fix. I would rate this as important for version 1.8, but I wouldn't spin a 1.7.2 for it.
Firon Posted July 23, 2007 Report Posted July 23, 2007 Whatever obfuscation it uses would be weak, as it still needs to be able to work properly with basic HTTP auth.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.