Bugs item #1694961, was opened at 2007-04-05 09:21
Message generated for change (Comment added) made by lschiere
You can respond by visiting: 

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
>Status: Closed
>Resolution: Invalid
Priority: 5
Private: No
Submitted By: Damien Carbery (daymobrew)
Assigned to: Nobody/Anonymous (nobody)
Summary: plaintextpasswords.php page doesn't mention gnome-keyring

Initial Comment:
The http://gaim.sourceforge.net/plaintextpasswords.php page doesn't mention the 
support that gaim has for gnome-keyring. It probably falls into the "Store a 
password(s) behind a password" category.

FYI: A blogger, 
http://blogs.sun.com/darren/entry/gaim_password_storage_insecure, mentions 
additional scenarios where plain text passwords are a problem.


>Comment By: Luke Schierer (lschiere)
Date: 2007-04-11 14:57

Logged In: YES 
Originator: NO

That webpage basically looks at Jabber only, where we have support for
SASL in the 2.0.0 beta series.  He doesn't give any real way to _securely_
store passwords though, other than integration with gnome-keyring (which,
to be secure, still means typing in a password.  Otherwise, you store your
password there, and get up from your desk and walk away.  I then sit down
at your computer and launch gaim inside gdb, and use that to pull your
password from gnome-keyring.  Even if gaim only stores it in memory long
enough to use the password, you would be vulnerable to this attack, UNLESS
you still have to type in a password for access to gnome-keyring.).

Basically, nothing here disproves or refutes anything I wrote on the
plaintextpassword page. 

I'm more than willing to discuss this further, on the mailing list
[EMAIL PROTECTED]  However, I fully intend to subject any idea to a hard
look at exactly how it would handle the password.  If it isn't actually
secure, I'll continue to say that we are better off with the current


Comment By: Damien Carbery (daymobrew)
Date: 2007-04-06 12:30

Logged In: YES 
Originator: YES

Oops, my mistake. I work for the JDS/GNOME group in Sun Microsystems. We
added support for gnome-keyring in our builds.
If you are interested in the feature, I will make a note to ask the author
of the patch to submit it to you.


Comment By: Daniel Atallah (datallah)
Date: 2007-04-06 00:01

Logged In: YES 
Originator: NO

There is no mention of gnome-keyring support because gaim doesn't
currently have any support for gnome-keyring.


You can respond by visiting: 

Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
Gaim-bugs mailing list

Reply via email to