libpurple gadu-gadu issues
Ethan Blanton
elb at pidgin.im
Wed Aug 28 17:08:53 EDT 2013
Tomasz Wasilczyk spake unto us the following wisdom:
> 2013/8/28 Ethan Blanton <elb at pidgin.im>:
> > Tomasz Wasilczyk spake unto us the following wisdom:
> >> I'm not sure, if we should deal with the cases, where the attacker is
> >> able to spoof the server. If user enables encrypted connections, he's
> >> safe, if he disables it, he's as vulnerable, as in any other protocol
> >> (the xmpp roster is also able to add/remove buddies remotely).
> >> However, I've removed buddy list uploading/downloading feature,
> >> because it doesn't work as expected for now (it's a problem on the
> >> Gadu-Gadu service provider side).
> >
> > We absolutely should. Servers are not trusted. Also, doesn't GG
> > require OpenSSL encryption, which is license-incompatible with
> > libpurple anyway? That would mean that we must assume the user is NOT
> > using encryption.
>
> As I said before, this sentence was very unfortunate - we absolutely
> should not trust the server. I've only meant dealing with the fake
> server, which acts /almost/ as the legitimate one. By almost, I mean
> this very specific issue - attacker may remotely update user's buddy
> list incorrectly using the old protocol, but if we use the new
> protocol (correctly, this time), he will be able to do it anyway.
I mean we should deal with a fake server safely, as well. I'm not
sure I get the point you're making.
Ethan
More information about the security
mailing list