Vulnerability Disclosure ::: Pidgin
Nitin Goplani
nitingoplani88 at gmail.com
Sat Oct 4 12:22:45 EDT 2014
Thanks for letting me know.
On 4 October 2014 21:51, Thijs Alkemade <thijsalkemade at gmail.com> wrote:
>
> On 4 okt. 2014, at 16:51, Nitin Goplani <nitingoplani88 at gmail.com> wrote:
>
> > Hi,
> >
> > It was observed that pidgin.im domain is not configured to support
> DNSSEC. This opens up a man-in-the-middle scenario where remote attackers
> will be able to tamper with your DNS records by the use of cache poisoning
> techniques.
> >
> > About DNSSEC: It is a technology to provide the guarantee that the
> answer from the Global DNS is correct which means the IP address belongs to
> the actual website not the fake/malicious one.
> > (i.e. if I type in the domain for my bank's website, I sure hope the IP
> address my browser goes to is of the intended bank, not some nefarious
> middle man trying to steal my data. This is what DNSSEC helps solve).
> > DNSSEC introduces digital signatures into the DNS infrastructure and is
> designed to automatically ensure that users are not hijacked en route and
> taken to an unintended destination
> >
> > Recommendation: It is recommended to deploy DNSSEC. It will ensure the
> end user is connecting to the actual web site or other service
> corresponding to a particular domain name.
>
> There’s no DNSSEC support for the .im TLD, so this is not currently
> possible:
>
> http://stats.research.icann.org/dns/tld_report/
>
> Regards,
> Thijs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20141004/e9648fd6/attachment.html>
More information about the security
mailing list