libpurple gadu-gadu issues

Tomasz Wasilczyk tomkiewi at gmail.com
Wed Aug 28 16:54:58 EDT 2013


2013/8/28 Ethan Blanton <elb at pidgin.im>:
> Tomasz Wasilczyk spake unto us the following wisdom:
>> I'm not sure, if we should deal with the cases, where the attacker is
>> able to spoof the server. If user enables encrypted connections, he's
>> safe, if he disables it, he's as vulnerable, as in any other protocol
>> (the xmpp roster is also able to add/remove buddies remotely).
>> However, I've removed buddy list uploading/downloading feature,
>> because it doesn't work as expected for now (it's a problem on the
>> Gadu-Gadu service provider side).
>
> We absolutely should.  Servers are not trusted.  Also, doesn't GG
> require OpenSSL encryption, which is license-incompatible with
> libpurple anyway?  That would mean that we must assume the user is NOT
> using encryption.

As I said before, this sentence was very unfortunate - we absolutely
should not trust the server. I've only meant dealing with the fake
server, which acts /almost/ as the legitimate one. By almost, I mean
this very specific issue - attacker may remotely update user's buddy
list incorrectly using the old protocol, but if we use the new
protocol (correctly, this time), he will be able to do it anyway.

Note: libgadu supports both openssl and gnutls. And I want to make it
using libpurple's ssl routines, so it won't require gnutls for
encryption. Actually, I'm working on this at the moment.

Tomek


More information about the security mailing list