[JDEV] Jabber Transports - Security issues

Todd Bradley TBradley at jabber.com
Thu Nov 2 17:56:33 CST 2000

> Well, you can always run your own server. :)

I suspect Mark really wanted the answers to these questions.  I don't think
they're rhetorical.

Yes, passwords are stored on the server.  Depending on how the server is
configured, there are a few ways to store passwords
(http://docs.jabber.org/jpg/x102.html).  Yes, anyone with a login and read
access on the server can read anyone's passwords.  So, if the Jabber
administrator of jabber.org (or any other server) turns evil, he can get his
hands on thousands of AOL passwords.

The zero knowledge authentication feature in the new server makes it so you
can configure your server so the above is not true.


> Mark Zamoyta wrote:
> > Hello, AOL always brings up security issues when it comes 
> to allowing
> > open access to its IM system.  How does Jabber, or Jabber.org in
> > particular deal with this? Obviously AOL / AIM passwords 
> are stored on
> > the server, but how are they encrypted, and who has access 
> to them on
> > the Jabber.org server?   ie. Can any programmer working on transport
> > related code for jabber.org get their hands on thousands of AOL
> > passwords?  Can anyone setting up their own Jabber system get access
> > to all the AOL passwords stored on their system? Mark
> --
> Peter Saint-Andre
> stpeter at jabber.org
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev

More information about the JDev mailing list