Feature Requests item #551886, was opened at 2002-05-03 11:09 Message generated for change (Comment added) made by lschiere You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=350235&aid=551886&group_id=235
Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None >Status: Closed Resolution: Invalid Priority: 5 Private: No Submitted By: Dave Strauss (dwstrauss) Assigned to: Nobody/Anonymous (nobody) Summary: proxy password saved in clear Initial Comment: As of Gaim 0.53, at least, the proxy password is saved in clear in .gaimrc. Isn't this a security hole? Yes I know that .gaimrc is user-readable only, but that's not much security. Proxy passwords are likely to be the same as a user's machine password. I would think it would be better to challenge the user for the proxy password whenever signing on (or at least make that kind of behavior the default). ---------------------------------------------------------------------- Comment By: Luke Schierer (lschiere) Date: 2007-04-17 15:42 Message: Logged In: YES user_id=28833 Originator: NO As we are closing this tracker, please submit any feature request that is still valid to http://developer.pidgin.im. Thanks. ---------------------------------------------------------------------- Comment By: Ferry (freaky2000) Date: 2004-04-01 08:56 Message: Logged In: YES user_id=648853 True, however as the source is widely available and considering that it would have to be a reversable encryption (as else the program wouldn't be able to use it) it's kind of pointless. The reverse-crypt code could easily be extracted and used. You could use a system more or less like kopete does. It saves it in a encryption database, then you enter 1 password during start-up with which the passwords can be decrypted and it then decrypts the passwords for all your accounts. This will however require you to enter a password each time you start gaim. ---------------------------------------------------------------------- Comment By: Sean Egan (seanegan) Date: 2002-05-03 14:27 Message: Logged In: YES user_id=199625 Fair enough. I'll make it so that if there's nothing stored in the password box in proxy preferences, but there is something in the username box, it'll prompt you. Moving to feature requests. ---------------------------------------------------------------------- Comment By: Dave Strauss (dwstrauss) Date: 2002-05-03 13:51 Message: Logged In: YES user_id=533903 Perhaps I shouldn't have mentioned the issue of the proxy password being the same as the box password, since these are really two different issues (as seanegan points out). The issue is that the password I need to use to get through the proxy server is save in clear. I'm not worried about my personal box, but my employer *is* worried about the security of his proxy server, and doesn't want passwords (any passwords, of any sort) stored in clear on any machines. If we can't get this resolved than we won't be allowed to use Gaim from inside the proxy server. All I'm asking for is a feature whereby the proxy password is *not* saved in .gaimrc, and instead the user is asked for the password whenever signing on. This is not a huge deal. Yes, it doesn't make things infinitely more secure, but it's certainly more secure than before. ---------------------------------------------------------------------- Comment By: Sean Egan (seanegan) Date: 2002-05-03 12:44 Message: Logged In: YES user_id=199625 > Yes I know that .gaimrc is user-readable only, but that's > not much security. > Proxy passwords are likely to be the > same as a user's machine password. So, the only way to get the password ("likely the same as the machine password"--which is poor password choosing to begin with) is to have the machine password which is "not much security." If you're this concerned about securing your box, this is the last thing to worry about, it seems. S. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=350235&aid=551886&group_id=235 ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Gaim-features mailing list Gaim-features@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/gaim-features