XMPP file transfer

Andreas Monitzer pidgin at monitzer.com
Wed Nov 14 02:55:16 EST 2007

On Nov 14, 2007, at 08:39, Gabriel Schulhof wrote:

> Just out of curiosity: What if the two sides are not on the same
> network, but they are both behind proxies on different networks using
> the same address space? In that case, would the originating hosts's
> Pidgin end up attempting to access a host on its own LAN?
> This could be a vulnerability: you think you're sending the file to  
> your
> friend 2 proxies away, but instead, you're sending the file to some
> other guy on your own LAN (who can impersonate your friend because he
> can see the whole traffic between you and your proxy and he's  
> fortunate
> to have the same IP as your friend has on /her/ LAN.

If someone is spying on your connection to the server, you have a huge  
problem right there, since that person is able to read all of your IM  
conversations. That's why TLS (client-to-server encryption) should be  
used at all times.
Since the port is random, it shouldn't be that simple to intercept a  
file transfer when you don't know the information going over the  
control connection.


More information about the Devel mailing list