is Pidgin vulnerable to the POODLE SSLv3 vulnerability?
Dave Warren
davew at hireahit.com
Fri Oct 17 16:23:04 EDT 2014
On 2014-10-17 10:05, Daniel Atallah wrote:
>
> On Fri, Oct 17, 2014 at 9:27 AM, Lois Janes <LoisTJanes at mail.com
> <mailto:LoisTJanes at mail.com>> wrote:
>
> Is Pidgin vulnerable to the POODLE SSLv3 vulnerability?
>
> I know that Pidgin doesn't offer a way to disable SSLv3 support,
> so I'm specifically interested in whether Pidgin is suseptible to
> a TLS/SSL downgrade attack?
> Does Pidgin retry failed connections with lower SSL/TLS protocol
> versions?
> Does Pidgin support TLS_FALLBACK_SCSV?
>
>
>
> The answer to all these questions depends on which SSL/TLS (gnutls or
> NSS) library you're using with pidgin and the configuration of that
> library (which will depend on your OS).
>
> Pidgin/libpurple itself has no direct interaction with the SSL/TLS
> handshake process.
I'm not sure that it matters either way, POODLE not only requires a
downgrade to SSL 3, but it also requires the client to be cooperative in
sending very specific combinations of data over the same SSL 3 stream in
a repeatable, controllable (or at least predictable) fashion.
This is fairly trivial to accomplish in a browser with access to
Javascript, but unless pidgin can be compelled to send
third-party-server-submitted data over the SSL 3 encrypted stream, this
particular vulnerability probably can't be actively exploited. Most
other "x-over-SSL" protocols (SMTP, POP3, IMAP, etc) are not vulnerable
even if forced down to SSL 3.
Disabling SSL 3 is still a good idea, but this specific attack needs a
lot more pieces than just a connection that can be forced to SSL 3.
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/pipermail/support/attachments/20141017/9049e5db/attachment.html>
More information about the Support
mailing list