Pidgin XMPP TLS/SSL Man in the Middle attack
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Pidgin |
Fix Released
|
Unknown
|
|||
pidgin (Debian) |
Fix Released
|
Unknown
|
|||
pidgin (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
Binary package hint: pidgin
It looks like this bug was reported in Launchpad some time ago, but for the wrong package. I'd love to see it fixed. Here's the original text:
As per http://
The client gives the end user no method of determining the validity of the certificate; in cases where a server presents invalid or self-signed certificates, Pidgin operates as normal. As a result, any man-in-the-middle attack can handshake with the server and with the client (using a fake certificate) and perform a decrypt-recrypt process to read the data-- including message text and plaintext passwords-- in plain text.
No proof of concept for this specific attack exists. Those wishing to write one can create an Ettercap plug-in
Related branches
Changed in pidgin: | |
status: | Unknown → Confirmed |
Changed in pidgin: | |
status: | Confirmed → Fix Released |
Changed in pidgin: | |
status: | Unknown → Fix Released |
See also: http:// developer. pidgin. im/ticket/ 3381