SSL security concern

Ralf Skyper Kaiser skyper at thc.org
Mon Oct 14 14:25:21 EDT 2013 

Hi,

So ... we already implement a large portion of this list, either

> explicitly or implicitly.  To wit:
>
> > For Jitsi/Pidgin/Jabber this would mean:
> >
> >    1. Do not allow non-private chats
>
> I don't know what this means.
>

...if OTR plugin is available then do not allow non-encrypted private
messages.

>    4. Feature to select CAfile storage location
>
> This is already provided, as a compile-time option.
>

This is not feasible to the average user. (point taken, developers know how
to use pidgin securely. everyone else should go to hell?)



>
> >    5. Force client to disable logging
>
> This is not an "option", but can easily be achieved by marking
> ~/.purple/logs unwriteable by the user.
>
>
Option should be available cross-platform and without OS specific hacks.


> >    6. Inform server that user is using lockdown (so that server can
> reject
> >    all clients which do not).
>
> This is not useful, as a client can readily lie.
>

This is not the point. The client can also circumvent your no-logging idea
by putting up a camera and filming his screen.

The point is that it takes reasonable effort and prevents _accidental_
client misconfiguration.


>
> >    7. Once lockdown option is enabled the user should not be able to
> change
> >    any of the above options until lockdown is disabled again (e.g. gray
> out
> >    the option). Disconnect when lockdown option changes and reconnect to
> all
> >    servers.
>
> I don't see what this buys.  We're unlikely to implement it.
>

Prevents accidental misconfiguration by the user. A server rule could
create a rule to only let clients connect that are in lockdown. This would
ensure against these accidental misconfigurations:

1. User has logging disabled
2. User is authenticating against server supplied/server-trusted cert (and
not one of the 600+ CA's out there)
3. User can not send unencrypted private messages
etcetcetc.

It prevents accidental client misconfiguration which form the majority of
all security problems.

This is a disingenuous and misplaced statement.  I assume you're

> trying to bribe egos.  However, a) Pidgin is already used by many
> millions of users, b) the "much larger user base" is a small fraction
> of those millions consisting of (for example) certain financial
> companies, a small number of privacy-concerned tech-savvy individuals,
> etc.


I think there is a use case for such a feature. There is currently no easy
to use and secure IM client on the market.

History (last 2-3 years, and recent PRISM leaks) have shown that
governments (and I'm not just talking about the US here) are intercepting
SSL traffic on a massive scale (see the DigiNotar-Iran incident, The
Blackberry-Etisalar incident, the PRISM case, ...etc etc etc).

This has been made possible because of lax security implementation - not
just in pidgin but across the board.

Firefox and Chrome are now on the forefront for implementing stricter SSL
security (including certificate pinning, HSTS and exclusive CA locations).

David: Saying that this is not required reminds me of a discussion in the
80s when the car manufactures said that Airbags are not required ("That
cars have a break and that people should drive responsibly. Only a small
ruthless-driving group of people would benefit.").

regards,

Ralf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/pipermail/support/attachments/20131014/2d5ca870/attachment.html>

More information about the Support mailing list