Some time ago, Google contacted me regarding security concerns related to Pidgin. After a long discussion, they decided to make a donation to Instant Messaging Freedom foundation, which was then able to sponsor some work related to Pidgin’s security improvements.
Therefore, I will periodically publish here news about work being done (of course, containing only the non-sensitive information).
The first task I took care of, was finishing and migrating master password branch. It was a Google Summer of Code project in 2008, but wasn’t finished. When I started working on this, it was pretty unstable, but now it’s slowly becoming polished and useable.
Master password branch provides Keyring support, which solves one of the most complained security issues about Pidgin – storing all passwords in plaintext. There will be an option to store passwords in system-provided safe (like GNOME Keyring, KWallet, or using Windows credentials to encrypt them) or still using the old, plaintext method. Supported keyrings are implemented as plugins, so every interested developer can provide his own method of storing such sensitive data. There will be even an option, to encrypt all passwords with one master password, supplied by user.
Development version of Pidgin with Keyring support can be obtained directly from its repository. Any comments, code reviews or tests would be appreciated.
Is there a plan for running some bug bounty? Even low prices under 50$/bug would bring more eyes to look for potential problems.