Vulnerability Disclosure ::: Pidgin
nitingoplani88 at gmail.com
Sat Oct 4 12:22:45 EDT 2014
Thanks for letting me know.
On 4 October 2014 21:51, Thijs Alkemade <thijsalkemade at gmail.com> wrote:
> On 4 okt. 2014, at 16:51, Nitin Goplani <nitingoplani88 at gmail.com> wrote:
> > Hi,
> > It was observed that pidgin.im domain is not configured to support
> DNSSEC. This opens up a man-in-the-middle scenario where remote attackers
> will be able to tamper with your DNS records by the use of cache poisoning
> > About DNSSEC: It is a technology to provide the guarantee that the
> answer from the Global DNS is correct which means the IP address belongs to
> the actual website not the fake/malicious one.
> > (i.e. if I type in the domain for my bank's website, I sure hope the IP
> address my browser goes to is of the intended bank, not some nefarious
> middle man trying to steal my data. This is what DNSSEC helps solve).
> > DNSSEC introduces digital signatures into the DNS infrastructure and is
> designed to automatically ensure that users are not hijacked en route and
> taken to an unintended destination
> > Recommendation: It is recommended to deploy DNSSEC. It will ensure the
> end user is connecting to the actual web site or other service
> corresponding to a particular domain name.
> There’s no DNSSEC support for the .im TLD, so this is not currently
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the security