is Pidgin vulnerable to the POODLE SSLv3 vulnerability?

Dave Warren davew at hireahit.com
Fri Oct 17 16:23:04 EDT 2014


On 2014-10-17 10:05, Daniel Atallah wrote:
>
> On Fri, Oct 17, 2014 at 9:27 AM, Lois Janes <LoisTJanes at mail.com 
> <mailto:LoisTJanes at mail.com>> wrote:
>
>     Is Pidgin vulnerable to the POODLE SSLv3 vulnerability?
>
>     I know that Pidgin doesn't offer a way to disable SSLv3 support,
>     so I'm specifically interested in whether Pidgin is suseptible to
>     a TLS/SSL downgrade attack?
>     Does Pidgin retry failed connections with lower SSL/TLS protocol
>     versions?
>     Does Pidgin support TLS_FALLBACK_SCSV?
>
>
>
> The answer to all these questions depends on which SSL/TLS (gnutls or 
> NSS) library you're using with pidgin and the configuration of that 
> library (which will depend on your OS).
>
> Pidgin/libpurple itself has no direct interaction with the SSL/TLS 
> handshake process.

I'm not sure that it matters either way, POODLE not only requires a 
downgrade to SSL 3, but it also requires the client to be cooperative in 
sending very specific combinations of data over the same SSL 3 stream in 
a repeatable, controllable (or at least predictable) fashion.

This is fairly trivial to accomplish in a browser with access to 
Javascript, but unless pidgin can be compelled to send 
third-party-server-submitted data over the SSL 3 encrypted stream, this 
particular vulnerability probably can't be actively exploited. Most 
other "x-over-SSL" protocols (SMTP, POP3, IMAP, etc) are not vulnerable 
even if forced down to SSL 3.

Disabling SSL 3 is still a good idea, but this specific attack needs a 
lot more pieces than just a connection that can be forced to SSL 3.

-- 
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/pipermail/support/attachments/20141017/9049e5db/attachment.html>


More information about the Support mailing list