libpurple gadu-gadu issues
Ethan Blanton
elb at pidgin.im
Wed Aug 28 16:36:24 EDT 2013
Tomasz Wasilczyk spake unto us the following wisdom:
> I'm not sure, if we should deal with the cases, where the attacker is
> able to spoof the server. If user enables encrypted connections, he's
> safe, if he disables it, he's as vulnerable, as in any other protocol
> (the xmpp roster is also able to add/remove buddies remotely).
> However, I've removed buddy list uploading/downloading feature,
> because it doesn't work as expected for now (it's a problem on the
> Gadu-Gadu service provider side).
We absolutely should. Servers are not trusted. Also, doesn't GG
require OpenSSL encryption, which is license-incompatible with
libpurple anyway? That would mean that we must assume the user is NOT
using encryption.
Ethan
More information about the security
mailing list