MSN authentication
David Woolley
forums at david-woolley.me.uk
Sat Nov 6 10:01:10 EDT 2010
Yonatan Amir wrote:
> This recent FireSheep business got me wondering - does Pidgin
> authenticate the MSN protocol with encryption? I use Pidgin on an
> unencrypted wireless network at school, and I'm worried about some bored
> individual capturing my credentials. I couldn't find any information
> that would be useful to me.
Looking at some slightly dated source code, it seems to use the Windows
Live ID authentication protocol, which may well be dictated by
Microsoft. This seems to at least use hashing. I didn't notice any
session key negotiation, so I would suspect that is is vulnerable to
dictionary attacks, so you should choose a strong password.
This is based on looking at the code for not much more than 5 minutes,
so there might be stronger encryption that I have missed.
--
David Woolley
Emails are not formal business letters, whatever businesses may want.
RFC1855 says there should be an address here, but, in a world of spam,
that is no longer good advice, as archive address hiding may not work.
More information about the Support
mailing list