document known weaknesses

[clach04]

Known weaknesses and considerations.
Keywords; security, problems.

Some info in wiki:

• https://github.com/clach04/puren_tonbo/wiki/zip-format
• https://github.com/clach04/puren_tonbo/wiki/vimcrypt-format

Some info in #4

#25

PT stores unencrypted text in memory. If a memory dump is automatically taken after a system or application crash or some of the memory is saved to a swap file, the sensitive information will be present on the disk. Sometimes it is possible to configure an operating system not to use a dump and swap files.

PT stores unencrypted passwords in memory

vim script/plugin/auto command (as of

puren_tonbo/pt.vim

Line 26 in 494c535

if $PT_PASSWORD == ""

) caches password.

Doc command line arg exposure.

Doc or link to each encryption implementation with quick overview and possible weaknesses (some notes in #4):

• Tombo chi blowfish block mode
• pgp https://latacora.micro.blog/2019/07/16/the-pgp-problem.html?ref=words.filippo.io
• VimCrypt 1-2
• https://old.reddit.com/r/privacytoolsIO/comments/b7riov/aes_crypt_security_audit_1_serious_issue_found/ejvcym6/

For shelling out, command with same name as real command at head is path could wrap real binary/script and log passwords and/or plain text.

https://www.reddit.com/r/crypto/comments/100b0ed/how_much_of_a_security_risk_is_it_to_expose_a/

WIP ptwebcp uses/allows GET parameters for password for convenience of debugging and testing. Leaks passwords to browser history.