Vulnerability Disclosure ::: Pidgin
Thijs Alkemade
thijsalkemade at gmail.com
Sat Oct 4 12:21:43 EDT 2014
On 4 okt. 2014, at 16:51, Nitin Goplani <nitingoplani88 at gmail.com> wrote:
> Hi,
>
> It was observed that pidgin.im domain is not configured to support DNSSEC. This opens up a man-in-the-middle scenario where remote attackers will be able to tamper with your DNS records by the use of cache poisoning techniques.
>
> About DNSSEC: It is a technology to provide the guarantee that the answer from the Global DNS is correct which means the IP address belongs to the actual website not the fake/malicious one.
> (i.e. if I type in the domain for my bank's website, I sure hope the IP address my browser goes to is of the intended bank, not some nefarious middle man trying to steal my data. This is what DNSSEC helps solve).
> DNSSEC introduces digital signatures into the DNS infrastructure and is designed to automatically ensure that users are not hijacked en route and taken to an unintended destination
>
> Recommendation: It is recommended to deploy DNSSEC. It will ensure the end user is connecting to the actual web site or other service corresponding to a particular domain name.
There’s no DNSSEC support for the .im TLD, so this is not currently possible:
http://stats.research.icann.org/dns/tld_report/
Regards,
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20141004/253a677d/attachment.sig>
More information about the security
mailing list