[Psi-devel] account defaults don't work for google talk
Hal Rottenberg
halr9000 at gmail.com
Thu Mar 1 15:09:37 PST 2007
On 3/1/07, textshell-I1QKlO at neutronstar.dyndns.org
> > I would even say that even if the user has disabled plaintext auth, it should
> > be used if the connection is secured because it isn't exactly "plaintext" at
> > that point.
> >
> It enables a malicous server to steal the password.
> All challeange response SASL mechs prevent this. So there are good reasons
> to disable PLAIN over encrypted too. It boils down to how good all parties
> manage the SSL/TLS certs and checking... So it's the right thing to be able
> to disable plaintext always.
I agree with what the "right thing" is--i.e. better security and
protection of your password--however I disagree that disabling
plaintext by default always is the right thing. Unfortunately, this
is Google we are talking about here. It's one of those things where
we should consider making an exception (which is my position) because
of the volume of user requests and complaints it will circumvent due
to the fact that Google is Google.
Security is a compromise, always been that way. I think that
performing one of Remko's mentioned workaround would be good enough
for the end user in terms of ease-of-use.
--
Psi webmaster (http://psi-im.org)
im:hal at jabber.rocks.cc
http://halr9000.com
More information about the psi-devel
mailing list