pct / tunnelblick

Automatically exported from code.google.com/p/tunnelblick
0 stars 0 forks source link

Cannot paste password #157

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Start Tunnelblick 
2. Connect to a VPN with a password-protected key 
3. Try to paste password to input field with CMD+V or right-click > paste

What is the expected output?
The password can be pasted from clipboard.

What do you see instead?
Nothing ;-)

What version of Tunnelblick are you using? On what version of OS X?
3.0_1437 on 10.4.6

Please provide any additional information below. Please include your
configuration file and the contents of the OpenVPN Log window (including
the first few lines with version information), but remember to remove any
sensitive information such as IP addresses.

Original issue reported on code.google.com by pickschn...@gmail.com on 6 Aug 2010 at 10:35

GoogleCodeExporter commented 9 years ago
Thanks for your report. Sorry to have to say this, but: "it's not a bug, it's a 
feature"!

Specifically, It's a security feature.

This behavior matches OS X's behavior when asking for an administrator's 
password (for example, when you run Tunnelblick for the first time). The reason 
the behavior matches is that we use a standard OS X password entry item for the 
password entry box. It is that standard that enforces the no-paste restriction 
and displays the password as bullets as you type it in.

You can have the password saved in your keychain if you wish, and Tunnelblick 
will automatically fill it in for you. But you do need to type it in once.

Original comment by jkbull...@gmail.com on 6 Aug 2010 at 11:00

GoogleCodeExporter commented 9 years ago
I have changed my mind on this issue.

The changes to implement this have already been made to the source code and 
committed as r1415. It will be included in the next beta release. Both 
command-v and right-click/paste are supported.

The practice of doing a copy/paste of passwords is discouraged for two reasons:

(1) After the copy, the password is available to all programs running on the 
computer until other text is cut or copied. For example, a webpage running 
malicious Javascript, which could then send it anywhere on the Internet.

(2) After the copy, the password is available to anyone else who has physical 
access to the computer until other text is cut or copied. For example, a 
co-worker with access to your computer can paste the password into a document 
and see your password.

I believe that these reasons are why OS X doesn't allow copy/paste in password 
fields.

However, I agree that being able to do this is very useful. And it is safe for 
someone who cuts/copys something else immediately afterward to remove the 
clipboard entry, and who closes all other programs while doing this.

Original comment by jkbull...@gmail.com on 14 Apr 2011 at 10:31

GoogleCodeExporter commented 9 years ago
Thanks for fixing this. May I add (3): think of one-time-passwords, i.e. 20 
character long passwords which one had to put in by hand rather via copy & 
paste. And being one-time-passwords, "save to keychain" would not help. So 
again, thanks, this is really helpful!

Original comment by ckujau on 4 Aug 2011 at 1:51