Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 22220

Summary: [other] keyring is not secure enough
Product: [Eclipse Project] Platform Reporter: Genady Beryozkin <eclipse>
Component: RuntimeAssignee: platform-runtime-inbox <platform-runtime-inbox>
Status: RESOLVED WONTFIX QA Contact:
Severity: normal    
Priority: P3 CC: fg, richard.birenheide
Version: 2.0   
Target Milestone: ---   
Hardware: PC   
OS: Windows 2000   
Whiteboard:
Bug Depends on: 50006    
Bug Blocks:    

Description Genady Beryozkin CLA 2002-08-06 15:08:52 EDT 
(based on news://news.eclipse.org:119/aig3ja$7kt$1@rogue.oti.com)

The keyring file is encrypted with a default password. If a user copies 
the file from a colleague, he will be able to decrypt it and discover its
passwords (e.g, cvs password).

Instead of using command line password option, which nobody uses, 
eclipse should pop a dialog box prompting me for a password to unlock 
the keyring file. See what mozilla does with its security system.
Comment 1 Genady Beryozkin CLA 2002-08-06 15:10:44 EDT 
also if the user on unix uses a password, it is visible in the process list.
Comment 2 Roland Illig CLA 2003-11-03 12:03:29 EST 
One more bad thing about it is that the keyring file is created like any other
file, with permissions (0666 - umask). Because many users have umask 022, I
consider this a really serious bug.

Thanks to the simple structure of eclipse it took me less than half an hour to
get my personal keyring displayed. That's too easy.
Comment 3 Jean-Michel Lemieux CLA 2004-04-14 15:35:15 EDT 
FYI, the cvs plug-in no longer uses the cache without the user explicitly saying
that they will cache using an unsecure mechanism.
This will be in the next 3.0 I-build.
Comment 4 John Arthorne CLA 2004-07-14 14:17:57 EDT 
*** Bug 68268 has been marked as a duplicate of this bug. ***
Comment 5 John Arthorne CLA 2005-07-05 16:38:42 EDT 
There are no plans to improve the keyring support in Eclipse.  If you have
greater cryptographic requirements, we recommend looking at other packages such
as java.security.KeyStore.  CVS is the only known client of the Eclipse keyring, 
but it makes caching in the keyring optional and provides the caveat that this
does not protect you from people with access to your workspace data location.
Comment 6 Genady Beryozkin CLA 2005-07-07 16:03:03 EDT 
Why a simple solution like what mozilla has, is complex to implement?