After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 568135 - unproper handling of passwords on ekiga.net web site
unproper handling of passwords on ekiga.net web site
Status: RESOLVED FIXED
Product: ekiga
Classification: Applications
Component: ekiga.net
unspecified
Other Linux
: Normal major
: ---
Assigned To: Ekiga maintainers
Ekiga maintainers
Depends on:
Blocks:
 
 
Reported: 2009-01-18 00:32 UTC by Johan Henriksson
Modified: 2015-02-26 19:44 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description Johan Henriksson 2009-01-18 00:32:43 UTC 
* when a new user is registered the password is sent in email. this should never occur.
* further, registration page does not use SSL.

both of these put users passwords in jeopardy and might affect users trust in open source security.

additional check:
* make sure only hashes of passwords are stored centrally, not the passwords themselves
Comment 1 Jan Schampera 2009-01-18 12:19:22 UTC 
(In reply to comment #0)
> * when a new user is registered the password is sent in email. this should
> never occur.
Which is also a philosophic question. Mailinglist engines do that, for example. But I agree with you (but: You would be surprised how many subscribers forget their password immediately after leaving the reg page...).

> * further, registration page does not use SSL.
Can you provide the URL? I can't imagine.
Comment 2 Mathias Brodala 2009-05-01 08:32:27 UTC 
(In reply to comment #0)
> additional check:
> * make sure only hashes of passwords are stored centrally, not the passwords
> themselves

This is really important. Passwords should never ever be stored in clear text. If you, for example, collect a GDB backtrace after a segfault of Ekiga, the password will be clearly written in there. If you don’t notice this, everyone will know your password soon.

This is a huge security issue.
Comment 3 Eugen Dedu 2009-05-01 08:36:46 UTC 
This could be done with gnome-keyring, see http://bugzilla.gnome.org/show_bug.cgi?id=555394
Comment 4 Snark 2009-05-01 09:17:29 UTC 
Yes in gnome -- but what on win32/MOSX/KDE/XFCE/Enlightenment ?
Comment 6 Eugen Dedu 2009-08-07 19:10:19 UTC 
Passwords are stored in ekiga.net, I do not know if they are encrypted or not.

Passwords are also stored on user's computer, and they are unencrypted.  Here it could be useful to encrypt them.  Joel, does your proposal work on windows too?
Comment 7 Joel Jose 2009-08-08 02:35:24 UTC 
Scroll down below and u'll find this there as one of the project goal..

"Compatibility with the JDK. This means that it should be possible to use this format as a keystore, so GNU implementations of the Java platform can provide the same functionality as the JDK"

i haven tried it yet..but yes..if u want i'll get a hello world up in this library and tell you more ;) what specifically do u want me to test for?
Comment 8 Snark 2009-09-17 20:11:17 UTC 
*** Bug 555394 has been marked as a duplicate of this bug. ***
Comment 9 Snark 2009-09-17 20:15:01 UTC 
We're not the only ones : http://developer.pidgin.im/ticket/673

and the last link may be pretty interesting : http://ppasskeeper.mupuf.org/
Comment 10 Eugen Dedu 2010-03-01 13:07:29 UTC 
This bug is for ekiga.net, the other (bug #555394) is for ekiga client.
Comment 11 Damien Sandras 2013-01-26 15:12:09 UTC 
The password is not sent anymore, it is just reminded in the registration web page, which is using https.

We need to improve the password reminder thingy... But that's another problem and should probably be described in another bug report.
Comment 12 John Dieter 2015-02-26 19:44:15 UTC 
As of 2015-02-26 the passwords are still decrypt-able (not one way hashed) and are decrypted and sent over plain text email during "forgot password"