Does pidgin still save your password in plain text (or base64-ized) in a configuration file in your home? I haven't used them in years because of this, and we also banned it in our company to avoid mistakes.
There is a plugin called "Windows Credentials", which according to the description uses Windows credentials instead of saving the passwords as plaintext.
I am unfortunately not exactly aware of what this means in practice, but I doubt it is worse than the default behaviour. But for Windows only, one could assume.
libpurple saving passwords in plain text is the correct decision. If it did encrypt them, it would also have to hold the key, so it would only add a false sense of security.
The only improvement would be a hardware-backed secret storage mechanism, but those aren't exactly ubiquitous.
It isn't. The correct decision would be to save the password in the operating system keychain, like Empathy does (or Messages on Mac, or name any others). Browsers also use keychains. On Windows, you can use the Crypto API to obtain an intermediate level of security.
Firefox can store passwords using a master key to unlock it, yet that master key is stored securely (via hashing).
libpurple/Pidgin could absolutely provide a more secure alternative by either using an OS keyring, or following Firefox's approach and requiring the user to type in a master password every time they start the client.
FWIW, Firefox doesn't do it by default, the option to enable it is not prominent, and when you do enable it the UX is pretty bad. IIRC usage stats is way below 1% of users.
No, it isn't. It's a very very bad security mistake, and I honestly thought it was obvious to most people by now (it used to be "debatable" 6-10 years ago).
People disagreeing tend to reply with blanket sentences like "if there is a process reading the files owned by you on your computer, you're already doomed", ignoring that security is made always made by layered levels, it's not an black/white issue. A file on disk could for instance end up in an unencrypted backup that goes into a server which is then exploited; it could be in a VM where you cannot control the supervisors. It might be end up being mailed to yourself for mistake while migrating computers (I know many people who do it), and thus being stored on remote servers; you might be running on a NFS-based deployment where you don't want to necessarily trust all present and future sysadmins with your personal passwords.
What's worse is that there is an alternative, safe solution to this which is using the operating system keyring, which stores passwords fully encrypted, and also enforces per-software / per-process ACLs ("app X wants to access your password for Y, do you want to allow?"). Pidgin (and other multi-platform software) tends to be resisting to this because it requires even more OS-specific code to be added and tested.
Pidgin is great. I have all my services hooked up to it: Aim/FB(when i had it)/Multiple Steam accounts/GTalk etc. Really great light weight chat client. Just wish there was a way to get Skype contacts on it.
There actually is a way, you can use Skype4Pidgin. However this requires you to have skype running, but you are able to chat with your skype contacts through Pidgin.
I do have to note that I've used this with Finch (also uses the purple library) and I've had one incident that I was talking to one person and one of my messages was mysteriously sent to a group chat instead of that one person. I've only had that happen to me once and I've not had that with Pidgin.
Whatever happened to Steve Ballmer screaming about developers?
Unfortunately it seems like over the years, companies have been providing fewer and fewer hooks into their products and services for developers to take advantage of.
This is awesome! Must have taken a fair bit of hacking to get working, given WhatsApp's policies.
Does anyone know if there are mobile apps based on Pidgin? Pidgin/Purple solved the multi-chat-client problem so well for the desktop, I'd love it to do the same on mobile.
It would be nice if Whatsapp, which is so popular, would help make its users a lot more secure by adopting end-to-end encryption, perhaps like what TextSecure v2 is using.
Getting people to use services with proper encryption is going to be a very slow process unless we convince/pressure the big ones to do it.
Wow, never heard of it before today. This should definitely be promoted more!
I was surprised there was only one old news here on HN. I submitted a new one: https://news.ycombinator.com/item?id=6913456
36 comments
[ 5.0 ms ] story [ 93.4 ms ] thread"Purple does not now and is not likely to encrypt the passwords in the accounts.xml file, nor is it likely to be encrypted in a future release. "
I am unfortunately not exactly aware of what this means in practice, but I doubt it is worse than the default behaviour. But for Windows only, one could assume.
Pidgin needs to supply the plaintext password to the server to authenticate.
The only improvement would be a hardware-backed secret storage mechanism, but those aren't exactly ubiquitous.
Google will disagree with you: chrome://settings/passwords
libpurple/Pidgin could absolutely provide a more secure alternative by either using an OS keyring, or following Firefox's approach and requiring the user to type in a master password every time they start the client.
Is there any situation where this sentence would be true?
People disagreeing tend to reply with blanket sentences like "if there is a process reading the files owned by you on your computer, you're already doomed", ignoring that security is made always made by layered levels, it's not an black/white issue. A file on disk could for instance end up in an unencrypted backup that goes into a server which is then exploited; it could be in a VM where you cannot control the supervisors. It might be end up being mailed to yourself for mistake while migrating computers (I know many people who do it), and thus being stored on remote servers; you might be running on a NFS-based deployment where you don't want to necessarily trust all present and future sysadmins with your personal passwords.
What's worse is that there is an alternative, safe solution to this which is using the operating system keyring, which stores passwords fully encrypted, and also enforces per-software / per-process ACLs ("app X wants to access your password for Y, do you want to allow?"). Pidgin (and other multi-platform software) tends to be resisting to this because it requires even more OS-specific code to be added and tested.
https://code.google.com/p/pidgin-gnome-keyring/
Here's the link: http://code.google.com/p/skype4pidgin/
http://blogs.skype.com/2013/11/06/feature-evolution-and-supp...
Unfortunately it seems like over the years, companies have been providing fewer and fewer hooks into their products and services for developers to take advantage of.
Does anyone know if there are mobile apps based on Pidgin? Pidgin/Purple solved the multi-chat-client problem so well for the desktop, I'd love it to do the same on mobile.
https://code.google.com/p/webpidgin/
Getting people to use services with proper encryption is going to be a very slow process unless we convince/pressure the big ones to do it.
I do not think that is such a great idea. I still vote Threema: https://threema.ch/
https://news.ycombinator.com/item?id=6913300
https://github.com/venomous0x/WhatsAPI
https://news.ycombinator.com/item?id=6913300
https://github.com/venomous0x/WhatsAPI