search

poVoq / conversejs-ubports

ConverseJS based XMPP client for Ubuntu-Touch mobile devices
GNU General Public License v3.0
2 stars 0 forks source link

Clear-text password in browser storage #2

Open poVoq opened 4 years ago

poVoq commented 4 years ago

This is a difficult to fix issue, input appreciated.

It seems like ConverseJS is regularly re-checking the JID and password, and thus requires them to be stored in session or local browser storage.

I guess in "trusted mode" where OMEMO certificates and so on are stored in the localStorage this doesn't make much difference, and it is not like the qtwebkit session/local storage can be easily viewed from within the app by a non-trusted user.

In non-trusted mode the only option I see right now it to use sessionStorage only, so when the user closes the app the clear-text password is deleted.

One theoretcal option would be to store only the hash. I asked on the ConverseJS chat about it with the following answer:

SCRAM-SHA-1 being ubiquitous you could also store the client part of the hash. Bonus points as it lets you avoid some expensive calculation. But to send the hash you'll have to do more work when connecting, might be quite difficult.

poVoq commented 4 years ago

I added the option for automatic login, which stores the password in cleartext in localStorage! You have been warned...