Ralf Skyper Kaiser spake unto us the following wisdom: > I made a list of features under section 6.4 that would make pidgin secure. > In summary:
So ... we already implement a large portion of this list, either explicitly or implicitly. To wit: > For Jitsi/Pidgin/Jabber this would mean: > > 1. Do not allow non-private chats I don't know what this means. > 2. Do not allow clear-text (non-SSL) connections This is already available, as a per-account option. A global option could be added, but that is not substantially more user-friendly or secure in any practical sense. > 3. Accept self-signed certificates but once accepted/stored do not allow > certificate to change (even if new certificate is a Verisign signed > certificate). This is not something we currently support, but I generally think it's a good idea across the board. I doubt we will implement it any time soon, but I am pretty sure we would accept a well-written patch that notified of certificate changes. > 4. Feature to select CAfile storage location This is already provided, as a compile-time option. > 5. Force client to disable logging This is not an "option", but can easily be achieved by marking ~/.purple/logs unwriteable by the user. > 6. Inform server that user is using lockdown (so that server can reject > all clients which do not). This is not useful, as a client can readily lie. > 7. Once lockdown option is enabled the user should not be able to change > any of the above options until lockdown is disabled again (e.g. gray out > the option). Disconnect when lockdown option changes and reconnect to all > servers. I don't see what this buys. We're unlikely to implement it. > > The BIGGEST BANG FOR THE BUCK would be 4.: Allow the user to specific a > different (and exclusive) CA location. Again, we already support this, so I guess our buck is already bangin'. > It is not a big change and would open up Pigdin to a much larger user base. This is a disingenuous and misplaced statement. I assume you're trying to bribe egos. However, a) Pidgin is already used by many millions of users, b) the "much larger user base" is a small fraction of those millions consisting of (for example) certain financial companies, a small number of privacy-concerned tech-savvy individuals, etc., and c) we don't care how many people use Pidgin, anyway. If you can convince us something is a good idea, we'll either do it or accept a patch for it. If you can't, we don't care if the Pope, the Dalai Lama, and Captain Reynolds got together and asked for it. Ethan
signature.asc
Description: Digital signature
_______________________________________________ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support