[SATLUG] Yahoo

Jon Mark Allen jm at allensonthe.net
Thu Jan 3 11:04:10 CST 2008


On 1/3/08, herb cee <hc at lookcee.com> wrote:
> Country I installed Gaim before the name was changed (due to friction
> with AOL) and Ubuntu has not changed it in the updates but I have not
> upgraded to 7.10 yet, still running 7.04 and the update manager recently
> did an update to Gaim. My guess is they will just reinstall as Pidgin.
> Anyway I have had no issues and I use it often.
>
> One issue is security and you may want to go here and read this
> http://dooglus.rincevent.net/gaim/  I'm way to greenhorn to advise.
> herb
>

Since the name has changed, the link above has been moved to [1].

In general, I think the developers are right.  Simply obfuscating the
passwords is not a good idea, since it will lead to end users thinking
their passwords are secure when they aren't. [2]

And since IM logins aren't encrypted by the protocols, the passwords
go across in the clear anyway.  (The only exception that I'm aware of
is SILC, which is an IRC network over SSL.)

I would say the weakness here is more in the IM protocols than in the client.

IM passwords should be something totally different and unlike any
other password you use.  IOW, they should practically be disposable.

Just my .02

JM

[1] http://developer.pidgin.im/wiki/PlainTextPasswords
[2] A good example in this area is Cisco's Type 7 passwords.  They are
obfuscated using the command 'service password-encryption', but these
passwords are trivially revealed.  What Cisco intended was to protect
over-the-shoulder viewing of the passwords.  Instead, most people
assume that these passwords are encrypted well enough to post on
pastebin sites.....

-- 
"And can the liberties of a nation be thought secure when we have
removed their only firm basis, a conviction in the minds of the people
that these liberties are the gift of God?"
-- Thomas Jefferson


More information about the SATLUG mailing list