Ubuntu
empathy package

New and added Jabber accounts are insecure by default

Bug #600449 reported by lirel
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
empathy (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: empathy

When creating new or adding existing jabber accounts the credentials will be sent unencrypted.
enabling encryption later works.

empathy should ask the user what to do or should enable tls/ssl connections by default.

a workaround to prevent the credentials for existing accounts from being blown out unencrypted is to disable networking while passing the wizard and enabling ssl/tls before reconnecting.
new accounts could change the password after enabling ssl.

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: empathy 2.30.1.1-0ubuntu1
ProcVersionSignature: Ubuntu 2.6.32-23.37-generic 2.6.32.15+drm33.5
Uname: Linux 2.6.32-23-generic x86_64
NonfreeKernelModules: wl
Architecture: amd64
Date: Thu Jul 1 02:41:52 2010
ExecutablePath: /usr/bin/empathy
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Alpha amd64 (20100223.2)
ProcEnviron:
 PATH=(custom, user)
 LANG=de_DE.UTF-8
 SHELL=/bin/bash
SourcePackage: empathy

See original description
Revision history for this message
lirel (m8r-lcodw5) wrote :
description: updated
Revision history for this message
Omer Akram (om26er) wrote :

thanks for the bug report. but accoring to empathy upstream if encryption is supported by the server empathy does it encrypted

<om26er> when we add a jabber account why isnt it secure by default (encrypted)?
<sjoerd> it is
<om26er> sjoerd, 'encryption required (TLS/SSL)' is for?
<sjoerd> then it's mandatory
<sjoerd> but we always turn on encryption when the jabber server supports it
<sjoerd> As we don't have good certificate checking and some servers (e.g. facebook iric) don't do it, it's not a great default

Changed in empathy (Ubuntu):
status: New → Invalid
nh2 (nh2)
Changed in empathy (Ubuntu):
status: Invalid → Confirmed
Revision history for this message
nh2 (nh2) wrote :

Reopening this bug as this is super insecure.

Imagine a user who does not even know what SSL/TLS is. He/She _will_ leave the default as is. He/She will use just the same password as for his/her e-mail, social networking, or online payment account with high probability.

Empathy does not even notify the user that his sensitive data might be read by anyone in the network. This should be not the default setting for the default messaging client.

I strongly suggest to turn "Encryption required" on as default and in case the server does not support that, open a "This will send you password unencrypted - do you really want to continue" message box.

Revision history for this message
Brian Curtis (bcurtiswx) wrote :

Sorry, but this bug is invalid because an Emapthy dev told Omer that it's secure when new jabber account are created. Therefore invalidating this bug. Please join #telepathy on freenode irc and discuss with the devs if you would like more clarification.

Changed in empathy (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.