Bugs item #1694961, was opened at 2007-04-05 09:21 Message generated for change (Comment added) made by lschiere You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100235&aid=1694961&group_id=235
Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None >Status: Closed >Resolution: Invalid Priority: 5 Private: No Submitted By: Damien Carbery (daymobrew) Assigned to: Nobody/Anonymous (nobody) Summary: plaintextpasswords.php page doesn't mention gnome-keyring Initial Comment: The http://gaim.sourceforge.net/plaintextpasswords.php page doesn't mention the support that gaim has for gnome-keyring. It probably falls into the "Store a password(s) behind a password" category. FYI: A blogger, http://blogs.sun.com/darren/entry/gaim_password_storage_insecure, mentions additional scenarios where plain text passwords are a problem. ---------------------------------------------------------------------- >Comment By: Luke Schierer (lschiere) Date: 2007-04-11 14:57 Message: Logged In: YES user_id=28833 Originator: NO That webpage basically looks at Jabber only, where we have support for SASL in the 2.0.0 beta series. He doesn't give any real way to _securely_ store passwords though, other than integration with gnome-keyring (which, to be secure, still means typing in a password. Otherwise, you store your password there, and get up from your desk and walk away. I then sit down at your computer and launch gaim inside gdb, and use that to pull your password from gnome-keyring. Even if gaim only stores it in memory long enough to use the password, you would be vulnerable to this attack, UNLESS you still have to type in a password for access to gnome-keyring.). Basically, nothing here disproves or refutes anything I wrote on the plaintextpassword page. I'm more than willing to discuss this further, on the mailing list [EMAIL PROTECTED] However, I fully intend to subject any idea to a hard look at exactly how it would handle the password. If it isn't actually secure, I'll continue to say that we are better off with the current system. ---------------------------------------------------------------------- Comment By: Damien Carbery (daymobrew) Date: 2007-04-06 12:30 Message: Logged In: YES user_id=843868 Originator: YES Oops, my mistake. I work for the JDS/GNOME group in Sun Microsystems. We added support for gnome-keyring in our builds. http://cvs.opensolaris.org/source/xref/jds/spec-files/trunk/patches/gaim-06-gnome-keyring.diff If you are interested in the feature, I will make a note to ask the author of the patch to submit it to you. ---------------------------------------------------------------------- Comment By: Daniel Atallah (datallah) Date: 2007-04-06 00:01 Message: Logged In: YES user_id=325843 Originator: NO There is no mention of gnome-keyring support because gaim doesn't currently have any support for gnome-keyring. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100235&aid=1694961&group_id=235 ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Gaim-bugs mailing list Gaim-bugs@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/gaim-bugs
