New and added Jabber accounts are insecure by default
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
empathy (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: empathy
When creating new or adding existing jabber accounts the credentials will be sent unencrypted.
enabling encryption later works.
empathy should ask the user what to do or should enable tls/ssl connections by default.
a workaround to prevent the credentials for existing accounts from being blown out unencrypted is to disable networking while passing the wizard and enabling ssl/tls before reconnecting.
new accounts could change the password after enabling ssl.
ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: empathy 2.30.1.1-0ubuntu1
ProcVersionSign
Uname: Linux 2.6.32-23-generic x86_64
NonfreeKernelMo
Architecture: amd64
Date: Thu Jul 1 02:41:52 2010
ExecutablePath: /usr/bin/empathy
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Alpha amd64 (20100223.2)
ProcEnviron:
PATH=(custom, user)
LANG=de_DE.UTF-8
SHELL=/bin/bash
SourcePackage: empathy
Changed in empathy (Ubuntu): | |
status: | Invalid → Confirmed |
thanks for the bug report. but accoring to empathy upstream if encryption is supported by the server empathy does it encrypted
<om26er> when we add a jabber account why isnt it secure by default (encrypted)?
<sjoerd> it is
<om26er> sjoerd, 'encryption required (TLS/SSL)' is for?
<sjoerd> then it's mandatory
<sjoerd> but we always turn on encryption when the jabber server supports it
<sjoerd> As we don't have good certificate checking and some servers (e.g. facebook iric) don't do it, it's not a great default