[JDEV] Jabber AIM transport caches passwords
Peter Saint-Andre
stpeter at jabber.org
Fri Mar 9 17:06:16 CST 2001
kadokev at msg.net wrote:
>
> I've noticed that the AIM transport for Jabberd is storing the AIM information
> permanently in a file on the jabber server, including the username and
> password for every AIM account used through the transport?
By no means am I strongly defending this practice on the part of our
transport developers (though they've certainly put a lot of work into
the transports, and it's a rather thankless task) and, sure, encrypting
this information would be the best way to go. However it's probably
appropriate to point out that, AFAIK (and please correct me if I'm
wrong), none of the IM services to which Jabber connects seem overly
concerned about security, since they are not supporting things like SHA1
encryption of passwords or zero-knowledge authentication (as Jabber
does). So anytime you connect to one of those services using their
client, you are potentially exposing your password to interception.
> If nothing else, there should be prominent
> warnings in the documentation for the transport
> and to all transport users.
I'll add something about this to the Jabber User's Guide, which is in
serious need of revision anyway.... :)
Peter
--
Peter Saint-Andre
stpeter at jabber.org
More information about the JDev
mailing list