-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Obsolete the SecureString type #30612
Comments
@jozefizso You thumbed down this idea, so I'm assuming you use securestring right now. Is there any chance you could expand on your objection here? |
Yes, for example the The same way you can remove MD5 hash algorithm from .NET because people are using it to insecurely store passwords. |
You've got about the only good example of using it right, powershell passwords being the other. MD5 at least as more legitimate uses (and is baked into the HTTP standard. Heck we can't remove 3DES because it's part of EMV). If it was moved out of corefx and into a separate, unsuipported package, where eventually a lot of bad decisions will go and which would have a horrific name like Microsoft.Unsupported.UnsafeThings (this is why no-one lets me name stuff), where you could opt into using it, and would have to put an extra flag in your solution to maybe make people think some more, would that be helpful? |
FYI I'm not suggesting deleting the type, only obsoleting it. Jozef, who is the adversary in your scenarios threat model? How does the use of SecureString in this particular scenario thwart the adversary? Edit: I ask not to be argumentative, but because there might exist an opportunity to create a better type for your scenario. We might be able to craft something more narrow in scope than what SecureString was trying to accomplish, and perhaps that replacement would be better suited for your application. |
In addition to logging, PowerShell also relies on this type to determine when to prompt without echo. Would it make sense to have a |
Without providing any replacement nor information how to do it right and what will you do to make existing workflows like asking for passwords in console apps, password boxes, etc. and preventing passwords from leaking in places like loggin it does make sense to delete a class from .NET Framwork. Having such a needed class in unsupported library? Ehm, no, just no. |
Part of the point of the issue is to gather feedback on what you use it for, however "obvious" uses doesn't help us very much. We want to know
We don't want to let our own biases make assumptions, we want you to be explicit please. |
On crash dumps: https://devblogs.microsoft.com/oldnewthing/20161104-00/?p=94645 |
Related issue: GC support for zeroing the managed heap on compaction (https://github.com/dotnet/coreclr/issues/18386). The premise of that work item is to limit exposure of sensitive data in memory, regardless of whether it's in a string, array, or some other type. |
@jozefizso I admit I am a little confused when you mention Win32. Windows has no idea about securestrings, they're purely a .NET concept. Which APIs are you thinking of here? |
@jozefizso That's not a Win32 method, that's the marshaller method for how to pass a SecureString to a C function that takes |
I'm not a professional developer yet, so I don't know if my opinion counts, but it seems weird to me that this would be obsoleted. Aren't there still benefits in using this? If you're careful you can make sure that the string has a short, predetermined, lifetime. |
SecureString, on Windows, is useful if:
Effectively, if you've ever had the value in a
It depends on your threat model / risk concern:
It is. Just use
So long as you never copied the data into
We actually docs-deprecated it more than 2 years ago: https://github.com/dotnet/platform-compat/blob/master/docs/DE0001.md, with a big warning on MSDN/docs.microsoft.com (https://docs.microsoft.com/en-us/dotnet/api/system.security.securestring?view=netframework-4.8) Now we're just moving it to a compile warning so more people notice. |
@bartonjs Thanks for the info! It's unfortunate that people are not careful in their use of |
From the code sample on MSDN it was obvious, that the password is secured in a general scenario - PasswordBox up to the LogonUser. As a developer, SecureString provides a promise of storing password securely and I don't have to deal with Secure Kernel stuff. I don't know which one is worse - that you failed to document the SecureString class does not provide any security (it appears it behaves exactly contrary to documented behavior) or that you are removing a useful class. Can it be misused? Of course it can. With such premise we can delete the whole .NET Framework and not just this single class. |
PS: if you are concerned by misusing the SecureString class, what do you think people will do without it? They will create their own crypto so applications will be even more insecure. |
The "DE0001: SecureString shouldn't be used" also starts with a misconception, I think,
Indeed. Not only will that mean homebrew applications which store things less securely - "Just XOR everything with 42, it'll be fine", but the problem of the secret being in memory in the clear is not solved. |
SecureString is not perfect. SecureString can be misused. SecureString can be misunderstood. No, SecureString's value is not limited to Win32 APIs. We are working on Azure integration service and we deal with passwords, credentials and secrets all the time (we handle over 300 services, which have a great range of authentication methods). We don't want those in the clear in memory. We do provide support for non-password based credentials when possible, which is not always the case. There are many, many APIs -local OS and remote services- which still rely on username password credentials. Some 3rd party clients have learn to use SecureString to protect the passwords they pass to their own server service (with on-the-wire encryption, so that the secrets goes from in-memory encrypted to on-the-wire encrypted). Removing SecureString and telling developers to go implement their own encrypted approach is baffling. Improve it instead. Provide better pattern. Implement code analysis detector for unsafe use of SecureString. Don't give up on security. Ever. |
Nobody is telling developers to implement their own approach to encryption, and nobody is giving up on security. In fact, the proposed replacement (see https://github.com/dotnet/coreclr/issues/18386) clears out memory more aggressively and prevents secrets leakage better than |
Very interesting discussion around SecureString. We've got some services that connect to Azure SQL DB from a WinForms app (No ASP.NET). Need to encrypt the ConnectionString's password (this password is not typed, by an user, it's hardcoded in the ConnectionString itself). I'm not able to use Azure's AKS as I'd still need to hardcode at least one secret. Would you recommend SecureString or any other approach to get this done securely? Thanks! |
@sterenas Your scenario involves encryption of data at rest, such as connection strings being read from a config file? If you've got persisted data you need to encrypt on the local box, using X.509 certificates (for server farms) or DPAPI (for consumer machines) is a typical solution. The data is encrypted at rest. Your application decrypts the payload locally and then can operate on the plaintext as it sees fit. |
This may be technically true - in that when creating (for example) a PowerShell credential object it uses a secure string, but when we export that credential (e.g. With a certificate the problem is merely moved. Whatever has the private key can authenticate. So now instead of having to keep a password or API key secure, the need is to keep the Private Key both secure secure at rest, AND available transparently. |
Certificate private keys can be marked non-exportable. As long as the cert is in the personal or machine store, the calling process never has access to the raw private key material. That's why using certs is so popular especially in headless environments like production servers. For consumer environments, DPAPI offers a similar capability. |
Updated proposal at dotnet/designs#147. |
The
SecureString
type does not actually fulfill the promises it makes to developers. MSDN already disrecommends its use in new code, and there's other documentation listing some technical reasons why it can't fulfill its promises.We've already seen customers who use this type in server applications in an effort to fulfill auditing / compliance requirements, then those customers get bitten because they fail their audits. I detailed this a little more on Twitter, including suggesting mechanisms that customers could use to meet compliance requirements.
This legacy type is a different scenario than legacy types like
ArrayList
(the non-generic collection type). Types likeArrayList
aren't recommended for new code because there are better alternatives available, but there's no real harm in keeping those older types around for compatibility reasons. Contrast this againstSecureString
, where the existence of the type is causing active harm to customers who use it and subsequently fail audits.Since the type purports to make security promises to developers, and since it cannot fulfill those promises, it should be obsoleted in the next version of .NET Core.
/cc @blowdart @bartonjs
The text was updated successfully, but these errors were encountered: