Lack of security in OpenSource?
It was an unpleasant surprise to me to find out for the first time that passwords on my favorite instant messaging client, Gaim, were stored in a plain text file, and the only “security” the software offers is the native Unix privilege rights, thus very invulnerable, was hoping things would change with Pidgin, but in vain: the same “feature” is used in Pidgin and all OpenSource programs based on purple library, this includes Finch, Adium for Mac OS X, … and non purple based, such as Licq and Psi.
According to Pidgin developers, to “obscure a password” is to
do something to store the password in some format other than plain text, but we automatically convert it for you. This is security by obscurity, and is a Very Bad Thing™ in that it gives users a false sense of security that we (Pidgin, Finch, and libpurple developers) believe would be worse to have than to let informed users deal with the password issue themselves. Consider that a naive user might think that it is safe to share his or her accounts.xml, because the passwords are “encrypted”.
They add that not more secure are the other proprietary IM software, such as ICQ, AOL IM, Triton, Yahoo!, MSN, Gtalk, Miranda, … Well I believe that: once you find out about the algorithm used you can decrypt back the so called encrypted password.
The best thing not to make an illusion of security according to Pidgin developers, and to really secure one’s password, is to encrypt the config.xml file once the software is closed, using OpenSSL or GnuPG or whatsoever.
However the method above can be unsecure as well in case you forget to encrypt or to delete the original file (yeah “to forget” happens to the security gurus too), that’s why the only thing I recommend is to never save your password if you want your data secure.
December 30th, 2007 at 9:27 am
Kopete also use a file to save password and logname
and you can copy files of windows live messenger from the computer of your friend.
and many free software can find the password to hack your friend
it work fine
December 30th, 2007 at 4:58 pm
Hi,
Yes, it’s a real problem. But, i found a tip in ubuntugeek.com :
You must download this patch in your Pidgin directory and do this :
tar xf master-password.patch.tarpatch -p 1
After that, you will see a new tab called "security" in the preferences to fix the problem.
Have a nice day !
December 30th, 2007 at 5:04 pm
Excuse me, i make a mistake with the
tag, the code is :tar xf master-password.patch.tar
patch -p 1
December 30th, 2007 at 5:09 pm
You have a problem with the “
" tag ? Anyway,.. the code is :tar xf master-password.patch.tar
patch -p 1
December 30th, 2007 at 5:12 pm
Damn it ! Can you delete my two last posts and replace the code of the first by the following ? Thanks !
tar xf master-password.patch.tar
patch -p 1
February 23rd, 2008 at 7:19 pm
je t tagué
regarde plouch plouch
March 13th, 2008 at 9:05 pm
Hey, man. Are you alive ?
May 10th, 2008 at 2:57 pm
PING!