Author Topic: Password protected History++ now without protection?  (Read 5834 times)

0 Members and 1 Guest are viewing this topic.

Offline ubik

  • Newbie
  • *
  • Posts: 4
hey,

actually i haven't used the history for a while so it just got now to my attention.

i had my history password protected with a feature in history++ (i suppose), whenenver
i opended any history i had to input the password and only then i could view it.

now this behavior is gone, it opens the history++ (without any password dialog) readable.

so my question, is this feature removed or substituted with the db password you enter
after starting miranda-ng?

will there be an option to reenable the old behavior, meaning that you have to enter
the password everytime you want to access the history, because this suits far more
my idea of protection, you never know when some1 got on your machine during a piss,
and no, lockscreen is just not the same :)

thanx in advance.


version info attached
 

Offline watcher

Re: Password protected History++ now without protection?
« Reply #1 on: 12 04 2014, 17:31:42 »
This was only an illusion of protection - password was available as plain text key in the database and could be removed with two mouse clicks. If you want real protection - use Miranda NG database encryption plus password on entry plus BossKey plugin with password on return from hidden state.
Пожалуйста, внимательно прочтите правила постинга перед тем, как открыть новую тему.
Please read forum rules.
 

Offline Robyer

Re: Password protected History++ now without protection?
« Reply #2 on: 12 04 2014, 17:38:55 »
History++ provides in fact only placebo protection. Because you can just disable History++ plugin and voila, you can read history again.

I was thinking how to combine it with profile password, but either must be such feature (password protected history) provided in core, or we must password-protect also disabling/enabling of plugins on-the-fly.

And even then there would be problem and easy way how to read your history - just change settings of tabsrmm to show 9999... items from history when opening contact window. So you must password-protect also opening windows or block any settings changes to your profile. And both ways are bad.

There are one similar solution though. You can use BossKey, which supports password protection to access whole Miranda and/or hide whole Miranda on hotkey. And that might be pretty useful for your situation, dont you think? :-)
I was developing mainly Facebook, Omegle, Steam, Dummy and MobileState plugins. Now I'm retired. Goodbye, everyone. ~ You can still find me on Facebook.
 

Offline White-Tiger

  • Developer
  • *****
  • Posts: 182
  • Country: 00
  • SendSS maintainer
Re: Password protected History++ now without protection?
« Reply #3 on: 13 04 2014, 13:29:54 »
Well... I want that History++ Feature back as well :P
It might be circumventable (like a lot of other things as well) but it helps against "normal" people :P

As long as it protects a bit, it's ok ;) Also you can easily improve it someday and people using it don't need to change anything...
I basically only want to protect my history, nothing else. (I dislike to always enter my password on start, and this also doesn't protect the running app)
Btw.. such kind of "protection" should also be added to Database Editor+ ...
« Last Edit: 13 04 2014, 13:32:05 by White-Tiger »

 

Offline watcher

Re: Password protected History++ now without protection?
« Reply #4 on: 13 04 2014, 18:02:04 »
White-Tiger,  ghazan does not agree with keeping this illusion of protection.
Пожалуйста, внимательно прочтите правила постинга перед тем, как открыть новую тему.
Please read forum rules.
 

Offline White-Tiger

  • Developer
  • *****
  • Posts: 182
  • Country: 00
  • SendSS maintainer
Re: Password protected History++ now without protection?
« Reply #5 on: 13 04 2014, 22:04:37 »
I know that :P Since I've talked to him as soon as he changed it...
But it's still better to do it that way.. most "security" works this way... so there's no problem with that. And it's more secure than it is currently anyway.

Like I said before, it can be easily extended to provide real security. Eg. use public key to encrypt new stuff to history, and private key (encrypted with non stored password) to read back other stuff from history.... (just keep a copy of X messages of history unencrypted to allow message windows to show said X messages)

I knew from the beginning that it wasn't bullet proof against developers since TabSRMM was able to read the history anyway... but it still helps against "normal" people and even I wouldn't know how to circumvent it without trying and searching first. I might use Database Editor++ as first try... but if that one would be protected as well, I might just disable History++
At least it requires more work... and History++ could be made to not dynamically load/unload and thus requires Miranda to restart and eventually asks for password on startup.

There's no argument for not supporting it. It did work, it does work and it's more than we have now. (and quite painless to implement)

addition:
Further more, I said ghazan that I also liked the old Database Editor++ behavior with "encrypted" passwords.. as password were not visible without clicking them first and thus it's way easier to show others some settings in a safe manner... for example to take a screen of some "hidden" settings or showing someone with teamviewer some settings etc...
Compared it's definitely a step back.
Miranda always needs to focus normal people, simplify as much as possible even when it means to use pseudo security as used everywhere.
« Last Edit: 13 04 2014, 22:10:43 by White-Tiger »

 

Offline SpinalBlood

Re: Password protected History++ now without protection?
« Reply #6 on: 13 04 2014, 22:23:36 »
I would also like to have that option back if possible, even if it's easy to bypass. I haven't tested Bosskey yet, but the purposes are slightly different; I also liked the fact that it was an integrated function of history++, for the history itself
 

Offline Robyer

Re: Password protected History++ now without protection?
« Reply #7 on: 14 04 2014, 07:24:09 »
addition:
Further more, I said ghazan that I also liked the old Database Editor++ behavior with "encrypted" passwords.. as password were not visible without clicking them first and thus it's way easier to show others some settings in a safe manner... for example to take a screen of some "hidden" settings or showing someone with teamviewer some settings etc...
Compared it's definitely a step back.
It doesn't show passwords until you click it, so no problem with screenshots or teamviewer. (but yes, at the start it was broken and all passwords was visible)
I was developing mainly Facebook, Omegle, Steam, Dummy and MobileState plugins. Now I'm retired. Goodbye, everyone. ~ You can still find me on Facebook.