Kommentare zu: Palringo has severe security issues

Von: bigstyle

bigstyle — Fri, 26 Feb 2010 19:03:21 +0000

I have seen exactly the same problem with ebuddy.

So… is there any WLM/MSN Client secured ?

Thanks

Von: anon

anon — Thu, 15 Jan 2009 04:27:52 +0000

Do you know if Nimbuzz has the same problem?

Von: Sveenie

Sveenie — Fri, 15 Aug 2008 14:08:46 +0000

BTW: Google (Gtalk) states in the Terms of Service:
6.1 You agree and understand that you are responsible for maintaining the confidentiality of passwords associated with any account you use to access the Services.
How can a Palringo user do that, if he doesn’t even know, that he/she gives the password to a third party?

Von: Sveenie

Sveenie — Fri, 15 Aug 2008 13:35:49 +0000

@Martin: that’s not true. For XMPP/Jabber/Gtalk, what I’m mainly using, full encryption IS standard. So for me this would be clearly a step back.
Of course you are free to convince your potential users that your intentions are good, but first you have to give them the choice by clearly stating how it works. But you don’t, since you fear that users will have doubts if it is such a good idea to give all their passwords to a third party. And instead of addressing these doubts you just don’t mention it.
To be fair: MobileChat is relaying over their proxy as well, but I don’t know about encryption. I cannot check it out, since I don’t want to pay money for it.

Von: Martin

Martin — Wed, 13 Aug 2008 20:18:30 +0000

@Sveenie: Users face the same issues when using official MSN/ICQ/AIM clients – it is not industry standard practice to encrypt data other than passwords.

Palringo’s servers act as a proxy/gateway to other services, which provides better resilience to intermittent connectivity problems and will allow us to implement push notifications in the near future. We do not log traffic data we relay, and the sole design rationale behind our architecture has been to provide a better user experience.

Von: Sveenie

Sveenie — Wed, 13 Aug 2008 13:35:46 +0000

@Martin: Ok, so what do we still have in the new version: Everybody can see our conversation and Palringo knows all our passwords. That’s a bit better, but far from being good.

Your privacy policy just tells what you do with the information, not what information you will gather. The users just don’t expect, that all their passwords are disclosed to Palringo.

If you want to offer a fair and acceptable product, you should use a full SSL tunnel to your server and explicitly clarify to the users, that all the IM traffic and all passwords will be forwarded to your server.

Von: Martin

Martin — Tue, 12 Aug 2008 21:00:09 +0000

As of 20 minutes ago, Apple have finally approved the 1.1 update to Palringo. This enables full encryption for sensitive user details such as passwords.

Palringo’s servers do not store unencrypted versions of passwords, and do not store messages which are relayed to MSN/ICQ/AIM/etc.

Our privacy policy is available on our website and details our use of details provided to us by our users – it’s not as alarming as this post makes it out to be.