On Tue, 2006-04-25 at 16:45 +0900, Jon Keating wrote: > On Tue, Apr 25, 2006 at 03:38:57AM -0300, Jose Tavares wrote: > > Is there a way to make Licq connect without sending the password in > > plain text? > > Well, what you are asking about is the protocol... Licq supports > AIM/ICQ and MSN so I'm gonna assume you are asking about ICQ. The ICQ > protocol does not send passwords in plain text for... many years now. > It is however trivial to decrypt the password if you sniff the packets. > In fact, I bet you can google for it and find such software very > quickly. > > ICQ as a protocol doesn't support truly safe password encryption. It's > a major flaw in the protocol, which all clients must obey (otherwise we > can't login).
hmm.. I sniffed my own home network and dsniff decrypted my Licq pass.. That was so direct that I thought there was no encryption at all.. :) > > It's a contradiction Licq offering a secure conversation channel and > > sending plain password.. If someone get my pass, he/she will be able to > > connect to anyone on my list using a secure connection.. :) He/she will > > not see my conversation, but will be able to make the other party talk > > about confidencial topics.. > > Well, that's what GPG or the forthcoming OTR plugin is for. > > > Comparing to msn, I loaded amsn in this open wifi net and the login was > > secure but the conversation was plain.. > > Well, let's see what you are talking about ICQ != MSN. If you are > talking about the MSN protocol plugin of Licq, then yes, your password > is sent over an SSL connection to the MSN server. That is part of the > protocol and once again, all MSN clients must obey this. > > > Question: Do you have plans to support a secure login in icq? I remember > > that years ago I was on this list and there were people asking this > > question that time ... > > Please ask AOL that question, we can't control the ICQ servers or ICQ > protocol. > > Jon I was always comparing ICQ protocol with MSN protocol and Licq with aMSN .. I think I wasn't clear in my first email.. aMSN offers 2 ways to connect. With SSL and without SSL. As I captured my Licq pass so easily with dsniff and due to a friend of mine had told me that ICQ "could" login securely, I thought there was 2 ways to authenticate with ICQ too.. And I thought Licq wasn't using crypto as dsniff picked my pass.. :) Now I was clear, didn't I?! :) [] JA Tavares ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Licq-Main mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/licq-main
