Hacker News new | ask | show | jobs
by djtriptych 1522 days ago
but only ever in memory. writing to disk is the issue here.
2 comments
icedchai 1521 days ago
Often, it is plaintext over the internal network. A TLS/SSL terminating load balancer decrypts the traffic, then your request is in clear text as it hits the internal web or app server. It can be sniffed and logged without modifying the application.
link
UncleMeat 1522 days ago
But there is no evidence that they are writing the passwords to disk.
link
lxgr 1522 days ago
They are writing the passwords to users' disks at least, which by itself is already really bad and easily avoidable.
link
UncleMeat 1522 days ago
How is that bad?

If you've got malware on your machine then you are already fucked. Desktops don't tend to have strong process isolation that keeps malware from reading a password in flight anyway.

link
djtriptych 1522 days ago
I'm talking about authenticating servers in general, not just lenovo.
link