Why do security "experts" hate pidgin/libpurple so much?

Why do security "experts" hate pidgin/libpurple so much?

Passwords are stored in plain text. That will be changed at some point™.

Many low quality plugins / bad code, it's become a meme to hate on pidgin, it probably has many vulnerabilities.

wouldn't it be possible to mount the .pidgin dir as some encrypted loopback?

how that makes any difference if it's run from the same user as other potentially malicious codez?

this should be solved by user permissions and memory protection. otherwise attacking code will fetch decryption keyz just as well.

It has a huge c codebase written by contributors who don't know c well, and a lot people use it for it's OTR plugin

What use for encrypted chat over XMPP?

The problem I have seen with all encrypted chats so far is that they have issues with device synchronization. This includes Pigdin.

I need a secure chat that sinks to all my devices, mobile and PC.

XMPP RFC supporting push does exist, but I can't find it working well with encryption. Key Exchange seems to be a major issue.

Beyond using mu TOX, I am not sure what else exists. And TOX itself has multiple flaws that render it useless to me, specifically around User IDS/Accounts/Sync.

Is there any fully featured secure chat that is in an Open Source state at this point?

register a simple name on toxme.io if you cant just send the string to be copypasted, thats the reason it exists in the first place.
Just copy the fucking .tox file.

No need, ext4 has per-directory encryption built in now. Even without that, Ubuntu and the like have had a single checkbox at install time to encrypt /home/ for years.

I did that and now everyone is complaining I keep logging on/off 10 times a second when I have tox open on 2 computers???????

The failure of TOX is simplicity. For something to be mainstream and used by everyone, it needs to have a simple setup and easily device synchronization.

I fully believe all communications online should be encrypted and secure, but its useless if everyday users are not able to simply login and have a secure chat that doesn't require anything but an ID & Password or a certificate that can be easily assigned to each account.

There is a gap missing with encrypted chats that are both straight forward and secure.

I have used TOX, but was only able to get communications with 1 other person as they understood the concepts and were willing to put in the effort.

Everyday users will not go to this length and unless the everyday user will use it, it will get no use except in a small targeted community.

Dont log in on two computers at once? Why would you actually need to do that in real life?

TOX IS THE SIMPLEST CHAT PROGRAM I HAVE EVER USED
What the hell are these 'lengths' one has to go to you're talking about? What the fuck are the 'concepts' one has to understand?
For fucks sake you just send someone a string of text via something else and they paste it into the id field. If you dont want to do that, qtox has a fucking gui in the options menu for registering on qtox。Its a username field, a biography field, and a register button.
congrats now you can say 'add me im [email protected]/* */'
THAT IS EXACTLY WHAT TOX IS

SASL authentication does not work, can't use it for Freenode and hackint through Tor.
Also the UI sucks, you have no idea which network are you using at the moment.

Profanity.

I guess this answers the OP. You hate it cause you ain't it

What the hell are you saying?

I'm confused as well

Weird but I think it's a good use case to consider since some people actually do it.

"Some people" as in everyone with an IM account on any major network in the last 15 years and a PC + 1 or more portable devices?

A-O-fucking-L added multiple login support fifteen years ago. How hard is it to get something so brain dead simple to work?

You hate it cause you ain't it

"Some people" as in "some people".
Logging in on several devices at the same time is not that common, but it started to become more common recently with smartphones and the like. I agree it should be implemented, I'm just saying it's not that common in actual, real life usage just because most IM applications have it.


Take your schizophrenia meds.

What third world country are you livin' in?

6/10 bait made me reply
Your next line will be "I was merely pretending to be retarded"

Why would it be changed and how would the messenger be able to auto-connect otherwise? It needs those passwords to do that.

Case scenerio:

Work PC
Home PC
Laptop
Phone

I need 4 active devices at all times to sync my chat. I'm not sure a situation where 1 PC would even apply in a real world scenerio.

For TOX to ever make it, it must support both the home and enterprise user and device synchronization.