Pidgin in Corporate Environment

[Dave Warren]

On 5/23/2012 1:37 PM, David Woolley wrote:
> Ahmed Rambarran wrote:
>>
>> Is there a way to create a custom pidgin package that includes IM 
>> communication for AOL, Yahoo, & MSN only where all the mentioned IM 
>> channels get routed to an internal server? We are currently logging 
>> IM conversations but users who have Pidgin installed on their machine 
>> seem to bypass this feature. Please let me know if anyone has done 
>> this before.
>
> Please remind me to avoid those services if I'm sending anything 
> sensitive!  Are they really that vulnerable to a man in the middle 
> attack, or are you using special remote clients, with the real IM 
> client on your server?

They're really that vulnerable, or were a couple years ago when I was 
using a transparent proxy to monitor and log traffic.

They either didn't use encryption at all or failed to validate 
certificates such that they were trivial to MITM. I don't recall which 
as the tool we used was off the shelf and not something we needed to 
construct ourselves.

Obviously anyone who cares about security should use IM services that 
they control, and that are properly encrypted (*cough*XMPP+SSL*cough*) 
although even then, you need to be careful because iPhone/Android 
clients will use a third party service (essentially a "bouncer") to 
maintain a connection to the server when the client software 
disconnects, which is very convenient, but potentially opens yet another 
backdoor.

Limiting IM to within corporate boundaries is a potential option, but 
being able to communicate securely from outside the corporate network 
can be invaluable (and a lot safer than using SMS)

Either that, or just assume that, like email, unless you know otherwise, 
IMs should be treated with the sensitivity and security of a postcard.

-- 
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren