HGKeeper

~~--- /dev/null Thu Jan 01 00:00:00 1970 +0000~~

+++ b/htdocs/plaintextpasswords.txt Sat Aug 02 13:20:18 2003 -0400

@@ -0,0 +1,55 @@

+Gaim does not now and is not likely to encrypt the passwords in the

+accounts.xml file (in 0.65, .gaimrc was replaced by accounts.xml,

+prefs.xml, pounces.xml, and status.xml in order to make it easier to

+expand as Gaim grows more complex, to make some of our current efforts

+more possible, and some other reasons. The "why" of xml config files is

+not addressed here though. ), nor is it likely to be encrypted in a

+future release. This is somewhat controversial in Windows, esp. Windows

+98 (because of its weak file protections) but that's the way things are.

+The reasoning for this is multi-part.

+1) Instant messaging is not very secure, and it's kind of pointless to

+spend a lot of time adding protections onto the fairly strong file

+protections of unix (our native platform) when the protocols themselves

+aren't all that secure. The way to truly know who you are talking to is

+to use gaim-e on both ends (or a similar plugin, gaim-encryption would

+probably work as well), and use verified gpg keys. You shouldn't be

+using your instant messaging password for anything else, anyway -- while

+some protocols have decent password security, others are insufficient

+and some (like irc) don't have any at all.

+2) There are basically 4 approaches to password storage. A) Store a

+password(s) behind a password. Basically this means that we require you

+to type in some passphrase as Gaim starts in order to read the

+accounts.xml file, and, to be truely secure, require you to type it

+again if you write to it. Winicq does something very similar to this if

+you set it to its highest security settings. B) Obscure a password.

+This means we do something to store the password in some format other

+than plain text, but we automatically convert it for you. This is

+security by obscurity, and is a VERY Bad Thing(tm) in that it gives

+users a false sense of security; a false sense that we (as Gaim

+developers) believe would be worse to have than to let informed users

+deal with the password issue themselves. (Consider that a naive user

+might think that it is safe to share his or her accounts.xml, because

+the passwords are "encrypted".) C) Store the password in plain text and

+control access to the file. This is what Gaim does: the password is in

+accounts.xml in plain text, but the file itself is only readable by its

+owner. We allow the user to determine under what conditions sensitive

+files should be opened (if at all), and what constitutes a breach of

+security (for instance opening the file before you realize what's up

+with it), and to react accordingly. ICQ is the ony protocol that will

+allow the account to be completely taken over by surprise, and that only

+because of flaws in the server that allow accounts to be highjacked _at

+the server_ w/out the use of a client at all. D) Lastly, you can not

+store passwords at all. This is Gaim's default, and by far the most

+secure of all of the options.

+If you really wanted to, you could write a script to wrap Gaim that

+would decrypt accounts.xml and re-encrypt it when Gaim exists. You

+wouldn't be able to encrypt it while Gaim is running, because Gaim

+writes to accounts.xml for things like info change. This would minimize

+your exposure time unless (like me) you run Gaim nearly 24/7.

+Personally, I feel that on any decent os (unix), if someone can get to

+your files you should either be able to trust the person to not touch

+them, or you shouldn't be storing sensitive information there at all.

gaim/www