by teraflop on 6/14/2015, 1:59:37 PM
by userbinator on 6/14/2015, 1:40:12 PM
I guess a lot of others are also wondering, "What's the point?"
If an attacker can read the file the cookies are stored in, you have already lost.
It even mentions "obfuscation" - which might be a slight obstacle if this was closed-source - but Chromium is open-source.
by TjWallas on 6/14/2015, 1:16:42 PM
Some more details from the source:
Password is: "peanuts" Salt is: "saltysalt" Algorithm used: AES-128-CBC The number of KDF iterations is: 1
Edit: Indicate that no. of iterations is for the Key Derivation Function
by mschuster91 on 6/14/2015, 1:37:35 PM
Well without having a user-specified master password like firefox has, you're bound to use some "pseudosecret" keys.
by Navarr on 6/14/2015, 1:32:20 PM
"ksalt - at least salt is a variable, surely it at least is randomly generated, right?"
> // Salt for Symmetric key derivation.
> const char kSalt[] = "saltysalt";
by xiaq on 6/14/2015, 2:30:16 PM
In related news, if you don't have a key and a lock, you cannot really lock a door.
by __mp on 6/14/2015, 1:59:56 PM
I haven't looked at the caller code but are you sure that only the cookie code is using this function? The function looks pretty generic and it might be used somewhere else as well...
by elchief on 6/14/2015, 5:54:55 PM
Linux -> Linus -> (Charles Schultz) Peanuts-> peanut?
by bhaavan on 6/14/2015, 4:19:53 PM
Well, atleast it goes well with the salt.
by memborg on 6/14/2015, 2:37:04 PM
mmmmhhhh. Salted peanuts
This is misleading. If you follow the links to the Chromium bug tracker, you'll note that Chrome integrates with the GNOME and KDE encrypted password managers when they're available. If they're not, it falls back to storing passwords itself with obfuscation, which is the best it can do. (On Windows and OS X, it uses CryptProtectData and the Keychain API, respectively.)
https://code.google.com/p/chromium/wiki/LinuxPasswordStorage