Saturday, September 25, 2010

Re: PasswordTextBox Security

ارسال عربي

2010/9/1, Gerhard Davids <glacieredpyro@gmail.com>:
> Well said Chris,
>
> And as Chris mentioned : XSS is a big problem.
>
> Make sure to spend time to create XSS safe methods for UI objects
> especially those that are bound to data from user input.
> Pure java problem like the one you mentioned don't hold water on the
> web client.
> Just for the sake of completeness GWT is compiled to JS only and makes
> use of HTML. No java is run on the client.
>
> On Sep 1, 6:30 am, Chris Conroy <con...@google.com> wrote:
>> The PasswordTextBox results in an <input type='password'> element on the
>> page which is handled by the browser in the same way all other such
>> password
>> boxes.
>>
>> And, to be a bit pedantic..If you assume an attacker has access to the
>> address space of your program, then what would stop him from reading said
>> characters at the time of password entry? The security issues you should
>> be
>> worried about are things like cross-site scripting attacks.
>>
>>
>>
>>
>>
>> On Tue, Aug 31, 2010 at 4:24 PM, drtman <drt...@gmail.com> wrote:
>> > According to at least one source, passwords should not be stored as
>> > strings in Java since they are immutable and could be readable from
>> > memory later even if the reference is nulled.  So I was wondering how
>> > PasswordTextBox maintains its value under the hood?  I know that
>> > getText() returns a string but is it coming from an instance variable
>> > maintained on the class?  If so I was thinking of writing my own class
>> > that uses a keypress event handler to maintain a char array which is
>> > more secure since it can be nulled out.
>>
>> > Just curious what anyone else's thoughts are on this.
>>
>> > --
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "Google Web Toolkit" group.
>> > To post to this group, send email to
>> > google-web-toolkit@googlegroups.com.
>> > To unsubscribe from this group, send email to
>> > google-web-toolkit+unsubscribe@googlegroups.com<google-web-toolkit%2Bunsubs
>> > cribe@googlegroups.com>
>> > .
>> > For more options, visit this group at
>> >http://groups.google.com/group/google-web-toolkit?hl=en.
>>
>> --
>> Chris Conroy
>> Software Engineer
>> Google, Atlanta
>
> --
> You received this message because you are subscribed to the Google Groups
> "Google Web Toolkit" group.
> To post to this group, send email to google-web-toolkit@googlegroups.com.
> To unsubscribe from this group, send email to
> google-web-toolkit+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/google-web-toolkit?hl=en.
>
>

--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.

No comments:

Post a Comment