[Blink] Blink stores plain word passwords in its config file?

Tomasz Muszynski thom at union.waw.pl
Wed Nov 24 13:18:15 CET 2010


Wiadomość napisana przez Dan Pascu w dniu 2010-11-24, o godz. 10:09:
> On 24 Nov 2010, at 01:08, Adrian Georgescu wrote:
> 
>> This is technically possible. Implementing keychain support in the configuration framework
> 
> actually things are not that simple. sipsimple's configuration framework is platform agnostic, we cannot simply add keychain support there as it is only available on the mac.

switch(platform)
{
 case "OSX": // use keychain
 case "Linux": // probably use sherlock
 default: // use plain file
}

Come on! That's not so hard to implement!

> plus as I said, having keychain support doesn't mean that the password cannot be logged after it was obtained from keychain. blink has a fundamental difference from other applications that come with your mac: it is available with the full source, which makes modifying it trivial. The point is that unless you completely trust anyone that uses your system, you have no guarantees of security.

I disagree. That way, You shouldn't use any tools like KeePass, that's because your filesystem is "very secure" and You don't need any other protection like not using root account or giving your computer to anyone... Also, every software written in Java or .Net (or any other jit based language) would be very unsecure as using reflection you can get source code from it's byte code. Thats not true. And finally, there are hackers that can restore any password from any place... so, let don't protect any software and don't hash any passwords as always someone can crack it :)

--------------------

As I've read in specification, SIP uses MD5 passwords. So, why not to store that encrypted password? If user changes authentication method then he will need to reenter the password, but again, it's stored locally in already encrypted form.

Best regards,
Tomasz Muszyński




More information about the Blink mailing list