--- a/htdocs/faq.txt Tue Jul 22 14:08:02 2003 -0400
+++ b/htdocs/faq.txt Sat Aug 02 13:20:18 2003 -0400
@@ -795,6 +795,13 @@
the documentation on the "web of trust" model available at
http://www.gnupg.org/ and try out gaim-e.</p>
+Q: Why are the passwords in accounts.xml not encrypted? +A: This is the case of a really long answer to a short question. +See <a href="plaintextpasswords.txt">plaintextpasswords.txt</a> for an A: gaim-remote is a second executable included with Gaim starting with
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/htdocs/plaintextpasswords.txt Sat Aug 02 13:20:18 2003 -0400
@@ -0,0 +1,55 @@
+Gaim does not now and is not likely to encrypt the passwords in the +accounts.xml file (in 0.65, .gaimrc was replaced by accounts.xml, +prefs.xml, pounces.xml, and status.xml in order to make it easier to +expand as Gaim grows more complex, to make some of our current efforts +more possible, and some other reasons. The "why" of xml config files is +not addressed here though. ), nor is it likely to be encrypted in a +future release. This is somewhat controversial in Windows, esp. Windows +98 (because of its weak file protections) but that's the way things are. +The reasoning for this is multi-part. +1) Instant messaging is not very secure, and it's kind of pointless to +spend a lot of time adding protections onto the fairly strong file +protections of unix (our native platform) when the protocols themselves +aren't all that secure. The way to truly know who you are talking to is +to use gaim-e on both ends (or a similar plugin, gaim-encryption would +probably work as well), and use verified gpg keys. You shouldn't be +using your instant messaging password for anything else, anyway -- while +some protocols have decent password security, others are insufficient +and some (like irc) don't have any at all. +2) There are basically 4 approaches to password storage. A) Store a +password(s) behind a password. Basically this means that we require you +to type in some passphrase as Gaim starts in order to read the +accounts.xml file, and, to be truely secure, require you to type it +again if you write to it. Winicq does something very similar to this if +you set it to its highest security settings. B) Obscure a password. +This means we do something to store the password in some format other +than plain text, but we automatically convert it for you. This is +security by obscurity, and is a VERY Bad Thing(tm) in that it gives +users a false sense of security; a false sense that we (as Gaim +developers) believe would be worse to have than to let informed users +deal with the password issue themselves. (Consider that a naive user +might think that it is safe to share his or her accounts.xml, because +the passwords are "encrypted".) C) Store the password in plain text and +control access to the file. This is what Gaim does: the password is in +accounts.xml in plain text, but the file itself is only readable by its +owner. We allow the user to determine under what conditions sensitive +files should be opened (if at all), and what constitutes a breach of +security (for instance opening the file before you realize what's up +with it), and to react accordingly. ICQ is the ony protocol that will +allow the account to be completely taken over by surprise, and that only +because of flaws in the server that allow accounts to be highjacked _at +the server_ w/out the use of a client at all. D) Lastly, you can not +store passwords at all. This is Gaim's default, and by far the most +secure of all of the options. +If you really wanted to, you could write a script to wrap Gaim that +would decrypt accounts.xml and re-encrypt it when Gaim exists. You +wouldn't be able to encrypt it while Gaim is running, because Gaim +writes to accounts.xml for things like info change. This would minimize +your exposure time unless (like me) you run Gaim nearly 24/7. +Personally, I feel that on any decent os (unix), if someone can get to +your files you should either be able to trust the person to not touch +them, or you shouldn't be storing sensitive information there at all.