Bugs item #1694961, was opened at 2007-04-05 09:21
Message generated for change (Comment added) made by lschiere
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=100235&aid=1694961&group_id=235

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
>Status: Closed
>Resolution: Invalid
Priority: 5
Private: No
Submitted By: Damien Carbery (daymobrew)
Assigned to: Nobody/Anonymous (nobody)
Summary: plaintextpasswords.php page doesn't mention gnome-keyring

Initial Comment:
The http://gaim.sourceforge.net/plaintextpasswords.php page doesn't mention the 
support that gaim has for gnome-keyring. It probably falls into the "Store a 
password(s) behind a password" category.

FYI: A blogger, 
http://blogs.sun.com/darren/entry/gaim_password_storage_insecure, mentions 
additional scenarios where plain text passwords are a problem.

----------------------------------------------------------------------

>Comment By: Luke Schierer (lschiere)
Date: 2007-04-11 14:57

Message:
Logged In: YES 
user_id=28833
Originator: NO

That webpage basically looks at Jabber only, where we have support for
SASL in the 2.0.0 beta series.  He doesn't give any real way to _securely_
store passwords though, other than integration with gnome-keyring (which,
to be secure, still means typing in a password.  Otherwise, you store your
password there, and get up from your desk and walk away.  I then sit down
at your computer and launch gaim inside gdb, and use that to pull your
password from gnome-keyring.  Even if gaim only stores it in memory long
enough to use the password, you would be vulnerable to this attack, UNLESS
you still have to type in a password for access to gnome-keyring.).

Basically, nothing here disproves or refutes anything I wrote on the
plaintextpassword page. 

I'm more than willing to discuss this further, on the mailing list
[EMAIL PROTECTED]  However, I fully intend to subject any idea to a hard
look at exactly how it would handle the password.  If it isn't actually
secure, I'll continue to say that we are better off with the current
system. 

----------------------------------------------------------------------

Comment By: Damien Carbery (daymobrew)
Date: 2007-04-06 12:30

Message:
Logged In: YES 
user_id=843868
Originator: YES

Oops, my mistake. I work for the JDS/GNOME group in Sun Microsystems. We
added support for gnome-keyring in our builds.
http://cvs.opensolaris.org/source/xref/jds/spec-files/trunk/patches/gaim-06-gnome-keyring.diff
If you are interested in the feature, I will make a note to ask the author
of the patch to submit it to you.

----------------------------------------------------------------------

Comment By: Daniel Atallah (datallah)
Date: 2007-04-06 00:01

Message:
Logged In: YES 
user_id=325843
Originator: NO

There is no mention of gnome-keyring support because gaim doesn't
currently have any support for gnome-keyring.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=100235&aid=1694961&group_id=235

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Gaim-bugs mailing list
Gaim-bugs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/gaim-bugs

Reply via email to