[JDEV] Jabber Transports - Security issues
Dave Smith
dizzyd at dizzyd.com
Thu Nov 2 18:00:25 CST 2000
++ 02/11/00 16:56 -0700 - Todd Bradley:
>Yes, passwords are stored on the server. Depending on how the server is
>configured, there are a few ways to store passwords
>(http://docs.jabber.org/jpg/x102.html). Yes, anyone with a login and read
>access on the server can read anyone's passwords. So, if the Jabber
>administrator of jabber.org (or any other server) turns evil, he can get his
>hands on thousands of AOL passwords.
>
>The zero knowledge authentication feature in the new server makes it so you
>can configure your server so the above is not true.
Well, 0k auth only secures your jabber-based logins. AIM, ICQ, etc
logins will store the password in plaintext at the moment. The key here
is to realize that AIM, ICQ, and co are not secure to start with, so
storing a password is nearly a moot point. If you want _true_ password
security, use _only_ Jabber with 0k auth.
D.
More information about the JDev
mailing list