Changeset 08cdb93


Ignore:
Timestamp:
2006-08-14T13:25:05Z (18 years ago)
Author:
Wilmer van der Gaast <wilmer@…>
Branches:
master
Children:
d1f8759
Parents:
d5ccd83
Message:

Updated the note about encryption in the README file.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • doc/README

    rd5ccd83 r08cdb93  
    155155====================
    156156
    157 BitlBee stores the accounts and settings (not your contact list though) in
    158 some sort of encrypted/obfuscated format.
    159 
    160 *** THIS IS NOT A SAFE FORMAT! ***
    161 
    162 You should still make sure the rights to the configuration directory and
    163 files are set so that only root and the BitlBee user can read/write them.
    164 
    165 This format is not to prevent malicicous users from running with your
    166 passwords, but to prevent accidental glimpses of the administrators to cause
    167 any harm. You have no choice but to trust root though.
     157There used to be a note here about the simple obfuscation method used to
     158make the passwords in the configuration files unreadable. However, BitlBee
     159now uses a better format (and real encryption (salted MD5 and RC4)) to store
     160the passwords. This means that people who somehow get their hands on your
     161configuration files can't easily extract your passwords from them anymore.
     162
     163However, once you log into the BitlBee server and send your password, an
     164intruder with tcpdump can still read your passwords. This can't really be
     165avoided, of course. The new format is a lot more reliable (because it can't
     166be cracked with just very basic crypto analysis anymore), but you still have
     167to be careful. The main extra protection offered by the new format is that
     168the files can only be cracked with some help from the user (by sending the
     169password at login time).
     170
     171So if you run a public server, it's most important that you don't give root
     172access to people who like to play with tcpdump. Also, it's a good idea to
     173delete all *.nicks/*.accounts files as soon as BitlBee converted them to the
     174new format (which happens as soon as the user logs in, it can't be done
     175automatically because it needs the password for that account). You won't
     176need them anymore (unless you want to switch back to an older BitlBee
     177version) and they only make it easier for others to crack your passwords.
    168178
    169179
     
    192202        BitlBee - An IRC to other chat networks gateway
    193203                  <http://www.bitlbee.org/>
    194         Copyright (C) 2002-2005  Wilmer van der Gaast <wilmer@gaast.net>
     204        Copyright (C) 2002-2006  Wilmer van der Gaast <wilmer@gaast.net>
    195205                                 and others
Note: See TracChangeset for help on using the changeset viewer.