Pidgin and Security

Luke Schierer lschiere at pidgin.im
Fri May 13 19:22:20 EDT 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On May 13, 2011, at 14:15 EDT, Linda_Hansen at cargill.com wrote:

> Hello,
> I am conducting a software review of Pidgin.  An employee has requested to use this product in our company’s environment and we need to verify against any potential risk of information.
>  
> This appears to be a very good product and I can understand the request.
> However, we have some concerns and would like some further information on the product.  Mainly, wondering how configurable it is?  Can some features be disabled?  Can the ability to add a plug-in be disabled?
>  

Pidgin is quite configurable.  You can see the range of options we come with, many of which can be extended by plugins and scripts.  

Can features be disabled:  Some of them yes, others no.  You can for example install pidgin and then remove protocol plugins or loader plugins you do not wish users to have access to.  Ultimately, however, if users have write access to any directory in the plugin search path, then they can install any plugins or scripts. 

> Can you provide further information on the encryption capability? 
>  
> What security features are built-in?

This is an instant messaging client.  What security features would you expect? 

>  
> Are passwords still saved as clear text?

I explained at length why this is at http://developer.pidgin.im/wiki/PlainTextPasswords My original answer has, over the years, been developed on and extended by other team members, resulting in the text you now find there.  As you can see, if you read it, very few, if any, IM clients out there offer truly secure password storage mechanisms.  Thus the answer I gave years ago remains true:  If you cannot trust the file permissions and access controls for the accounts.xml file provided by your operating system of choice, you should not store passwords at all.  It is only our refusal to hide the inherent insecurity of storing passwords that makes this an issue at all, for anyone. 

>  
> What, if any, is required to be installed on a server?

Pidgin is a client.  It requires nothing of a server, except that it be a valid server for the protocol in question.  Thus if you have existing clients in place, using a protocol supported by Pidgin, you can use Pidgin as a replacement for those clients with no changes to your server. 

If on the other hand, you, like many people historically have, confuse pidgin with a service, then you will be disappointed.  We frequently get requests asking for us to do things to accounts on servers we do not control (such as password resets for MSN), or by individuals hoping that Pidgin is itself the solution to a company's need for internally controlled IM.  If you need your own server, you will have to pick a server, and install that separately from Pidgin.  If on the other hand you already have a server, or are happy with a public server, then Pidgin may be of use to you. 

I hope these answers help. 

Luke

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAk3NvS0ACgkQUsDanPbyGdkZ8ACfcSMO1YxGrnyeWGmyjBQSBMFX
wW8AnA/oZ6vHV3aTjzKQ7NwFDUnlOjL5
=KwYh
-----END PGP SIGNATURE-----

More information about the Support mailing list