"Jamin W. Collins" <[EMAIL PROTECTED]> wrote on 12-9-2003 19:49:23: > >Does anyone else see it as a concern that the Jabber server (1.4.2 >release) and popular transports (aim-t, jit, msn-t, and yahoo-t) save >user account information (user name and password) in plaintext for >anyone with read access on the Jabber server to see?
>From the last discussion on this subject, it turns out with SASL's digest-MD5 method (so with Jabberd2 as well I suppose?) it is possible to store passwords in secure hash form. Registration with jabber:iq:register will still be done in plaintext, till it is adapted for this mechanism. But even then, I wouldn't give anyone read acces to your jabber files that shouldn't really have it. As for transports, since most networks currently require acces to plaintext passwords to do authentication with them there is only one alternative, mapping the authenitcation to Jabber and let the clients handle it. That would mean however that for every forgein network you want to use the client would have to implement that authentication process. Wich on most networks is also the most frequently changed feature. For example for MSN first would have had to implement SHA1 authentication in your messenger, but now you'd have to tunnel SSL over your Jabber stream. I can imagine most client authors would like it better if you just restrict read-acces on your server ;) -- Tijl Houtbeckers Software Engineer @ Splendo The Netherlands _______________________________________________ jdev mailing list [EMAIL PROTECTED] http://mailman.jabber.org/listinfo/jdev
