I had an awkward experience today. I downloaded an update for an app. I got excited about the excellent stuff they have done to their previous version and I really do love the app. Then I thought to myself: that's just too good to be true. It kind of was.
I'm using an OS X Server for my mails, calendar, contacts, messages, wiki, VPN, whatever. You may like it or not, but it's a self hosted server which makes it easy for almost everyone to host their own stuff.
As paranoid as I am, as naive I can be. I did trust that application. I don't know anyone behind the app personally, but they seem to be some nice folks. I instantly logged myself into my jabber server with a username and a password in the believe that the password will stay on my device.
Beside other nice things the application provides a feature with which you can stay online, even after Apple has terminated the application (after a maximum of ten minutes, which can be quite annoying for a permanent messaging application). You can choose between various intervals, up until three month, and you'll receive push notifications when someone sends you a message. Sounds like a great idea! Always online in Jabber, no need for WhatsFacebook and co.
At that point my naive mind went missing and my paranoid thinking was all that was left. It was a wakeup call. When they can keep my connection up and running for three month, they have to establish it somehow. That's what they do. You enter your password into the application and it's send to their server, which then will connect to my server with my password. The same password that is used for my email address. As there is also an option to turn on TLS for the server connection (which is off by default), I can just assume they send it through plain HTTP.
So, my server password was transferred in plain text to a 3rd party server and I cannot know whatever they have or might do with it. [^1]
When I give some application my jabber password (or any password at all), I should trust them. In theory they could just check which services are running on that server and try the same username and password combination – or just check other services with that email address and password. I'm not reusing passwords anywhere, but it's essentially the same problem: one password for multiple services.
I cannot change the fact that Apple uses single sign on for all services (which is the best option from usability standpoints) and I cannot change that Apple terminates applications after ten minutes, but there is one thing I can always do: decide not to use something when I do believe it is wrong.
I like my OS X server, so I continue to use it. I don't care if I'm offline in jabber after some time of inactivity, even if it would be nice not to be. But: sending my password, without any question, to their server, in plain text, is wrong on so many levels. That's how you ruin my trust once and for all.
I removed the accounts, removed the application and changed my passwords (changing all passwords on all devices and for all services was really no fun, special thanks for that waste of time).
- Think twice to whom you give your password and also think twice about the consequences that might have
- If someone trusts you to give you something at all, think long and hard about your responsibility. No matter if it's a password or just a stupid phone number or a cat to watch over.
- Use SSL for everything. When we are in the same Wifi, even I can read your HTTP traffic (breaking news: won't help with the cat).
[^1] For the record: the support, which is also quite great, did tell me that they don't store it and use it just for establishing the connection, but that was a pretty small consolation. I do believe they don't want to do any harm, but the complete procedure is just stupid.