There's no one size fits all here, what's "safe enough" for one system, may be abysmally weak on another. It's always got to be defined in light of the purpose of the protection and the risk to the system. To answer this, there needs to be a better definition of "secure" and/or "safe". This way, I can inject something really bad into a password-protected ZIP file, without knowing its password and count on the receiver assuming the file is unmodified.Īm I missing something or is this really wrong? What can we say about the security terms of a solution, if password is not required to introduce any modification in a password-protected file? So end user will not see the difference - whether the program does not ask for a password, because it already knows it (original file) or because the file being extracted doesn't need a password (file modified by me). If a victim unpacks a password-protected archive, extracting program will ask for the password only once, not every time per each file.
Replaced file will remain unencrypted, not password-protected inside the I can hijack (intercept) someone else's file (password-protected ZIP file) and I can replace one of the files it contains, with my one (fake, virus) without knowing the password.
This is completely insecure in terms of social engineering / influence etc. If I can list contents of a password-protected ZIP file, check the file types of each stored file and even replace it with another one, without actually knowing the password, then should ZIP files be still treated as secure?
0 kommentar(er)
