Security Vulnerability

[Mark Doliner]

Hi Eugene. I think we never responded to this email--sorry. I think we
mostly don't consider this a security vulnerability. It seems like
there isn't a possibility for this to cause harm to large numbers of
Pidgin users, or prevent them from using Pidgin. And so it would be
fine to discuss this on our support at pidgin.im mailing list.

It's not clear to me why Google thinks Pidgin is using insecure
sign-in technology. I've never seen that setting or been asked to
change my security level? Is your Google account configured to use
two-factor authentication (e.g. you must enter a rotating code number
in addition to your password when signing in)? What about how your
XMPP account is configured within Pidgin... on the Advanced tab of
account settings, is connection security set to anything other than
"require encryption"? (Ideally it should be set to "require
encryption.") Is "allow plaintext auth over unencrypted streams"
checked? (Ideally it should not be.)

On Sun, Nov 16, 2014 at 5:59 AM, Eugene Alexander
<eugene.alexander at gmail.com> wrote:
> I am using Pidgin 2.10.10 and recently could not sign-in to my Google Talk
> account using XMPP.
>
> Google rejected the login and sent me a message to change my security level
> (see photo).
> https://www.dropbox.com/s/1j7xgq1jq0yrnwi/google.jpg?dl=0
>
> Can this be fixed so that we can sign-in using Google's latest security
> measures?
>
> Thank you, Eugene
>
>
> _______________________________________________
> security mailing list
> security at pidgin.im
> https://pidgin.im/cgi-bin/mailman/listinfo/security