It's fairly straightforward to add- the keys are in fact encrypted: the NSS libraries only export encrypted keys. However, the symmetric key used to encrypt/decrypt them is null, as there is no GUI set up to get a password from the user.
I'd have added it by now, but my reasoning had been that if someone has access to files in your home directory that are marked not-public read/writable, then you're really in trouble anyways. That same person could install a password sniffer fairly straightforwardly. However, your point about home directories on a networked drive, particularly for Windows, is a situation I hadn't considered.
I'll bump this higher up my todo list.
-Bill
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
... or in the case where you may not trust the network admins, and even if I trust the admins, local root on any machine trusted by the NFS server is all it takes to snoop my "private" files on the server....
of course, the admins could put trapdoors on my desktop machine by modifying the gaim install, or GTK, or X, or libc... but that's a higher plane of paranoia, and I could presumably check for it (unless they also modify md5sum, etc. etc).
thanks. if I don't see it next time I have a spare moment, I'll see if I can add it and send you a patch, since it's just a GUI thing.
Chris
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
the private keys appear to be placed in the home directory (possibly a networked drive) without any protection.
Is there any plan to add a master password capability to the password store?
Chris
It's fairly straightforward to add- the keys are in fact encrypted: the NSS libraries only export encrypted keys. However, the symmetric key used to encrypt/decrypt them is null, as there is no GUI set up to get a password from the user.
I'd have added it by now, but my reasoning had been that if someone has access to files in your home directory that are marked not-public read/writable, then you're really in trouble anyways. That same person could install a password sniffer fairly straightforwardly. However, your point about home directories on a networked drive, particularly for Windows, is a situation I hadn't considered.
I'll bump this higher up my todo list.
-Bill
... or in the case where you may not trust the network admins, and even if I trust the admins, local root on any machine trusted by the NFS server is all it takes to snoop my "private" files on the server....
of course, the admins could put trapdoors on my desktop machine by modifying the gaim install, or GTK, or X, or libc... but that's a higher plane of paranoia, and I could presumably check for it (unless they also modify md5sum, etc. etc).
thanks. if I don't see it next time I have a spare moment, I'll see if I can add it and send you a patch, since it's just a GUI thing.
Chris