[Psi-devel] account defaults don't work for google talk
textshell-I1QKlO at neutronstar.dyndns.org
textshell-I1QKlO at neutronstar.dyndns.org
Thu Mar 1 13:23:32 PST 2007
On Fri, Mar 02, 2007 at 08:13:58AM +1100, Trejkaz wrote:
> On Friday 02 March 2007 06:07, Remko Tronçon wrote:
> > Regarding plaintext authentication, there are a couple of things we
> > could do to make it work:
> > - Make the 'Allow plaintext auth' a combobox with the following
> > options: Never, Always, Over an encrypted connection, and make 'over
> > an encrypted connection' the default. I'm not sure if this is 'secure'
> > enough as a default.
> > - Add a warning 'your server only supports plaintext authentication,
> > do you want to enable this?' with the optional 'don't ask me again for
> > this account' checkbox. We could add to the message whether or not the
> > connection is entrypted. This is probably the right thing to do.
> > However, this is harder to code :-)
>
> I would even say that even if the user has disabled plaintext auth, it should
> be used if the connection is secured because it isn't exactly "plaintext" at
> that point.
>
It enables a malicous server to steal the password.
All challeange response SASL mechs prevent this. So there are good reasons
to disable PLAIN over encrypted too. It boils down to how good all parties
manage the SSL/TLS certs and checking... So it's the right thing to be able
to disable plaintext always.
- Martin
More information about the psi-devel
mailing list