[Pidgin] #3381: XMPP TLS and (old) SSL man-in-the-middle attack

Pidgin trac at pidgin.im
Sun Sep 30 15:11:48 EDT 2007


#3381: XMPP TLS and (old) SSL man-in-the-middle attack
-----------------------+----------------------------------------------------
Reporter:  bluefoxicy  |       Owner:  nwalp
    Type:  defect      |      Status:  new  
Priority:  minor       |   Component:  XMPP 
 Version:  2.2.0       |    Keywords:       
 Pending:  0           |  
-----------------------+----------------------------------------------------
 Pidgin's implementation of XMPP TLS and (old) SSL encryption is vulnerable
 to a man-in-the-middle attack.  A malicious user in a hotel or Internet
 café performing ARP spoofing can hijack a new XMPP connection and decrypt
 the data on the fly by replacing the certificate without any alert to the
 end user; a malicious user would need to write a plug-in to Ettercap to
 perform this attack.

 BACKGROUND

 I have a server which was originally called TestIN (Test IntraNet) running
 OpenFire XMPP server.  The TestIN server now resolves as 'jabber' on the
 local network, but uses a self-signed certificate for the domain
 'testin.localnet' that was generated when the server was still ill-named.

 I have tested multiple Jabber/XMPP clients using both the Old SSL (5223)
 encryption and the new TLS encryption.  Viewing the traffic in Wireshark
 shows a short handshake followed by an encrypted session; authentication
 seems to not occur before the encrypted session begins.  This leads me to
 believe the server and client have negotiated encryption properly for any
 given session.

 I noticed with all clients that none of them alert me about the self-
 signed certificate, or about the certificate having a different common
 name than the name used to contact the server.  This non-alert creates the
 security problem described in this issue.

 SPECIFIC PROBLEMS

 The two specific behaviors here that Pidgin must adhere to include
 alerting on a self-signed TLS or SSL certificate, and alerting on a
 certificate for a different common name than the one given for the server.
 If I connect to talk.google.com and get a certificate signed by itself, I
 may be under attack; similarly, I should not connect to talk.google.com
 and be presented with a certificate from www.boguswidgets.com (obtaining a
 CA signed SSL certificate for use in a replacement attack is trivial;
 obtaining it with the name of your target is not).

 RECOMMENDED SOLUTION

 Pidgin should alert the user that the certificate seems to not be
 completely secure on connect, and allow the user to abort before
 authentication (indeed, at the earliest sign of trouble).

 Pidgin should cache the certificate when a user successfully connects to a
 server, either by the certificate being proper or by the user accepting a
 self-signed or incorrect CN certificate.  If the user opts to not be
 alerted anymore for that specific certificate, Pidgin should be quiet
 about it until the certificate changes; else it should inform the user
 each time that the certificate it sees is the same as it was before.

 If a cached certificate changes, Pidgin should alert the user on the
 severity of the change.  If the actual public key does not change, but the
 common name, CA, or self signed status does (i.e. if a self-signed gets CA
 signed), then it should inform the user of this; else it should inform the
 user that the entire certificate has changed.  It can also inform the user
 that a simple self-signed to CA-signed transition makes the certificate
 more trustworthy, as long as the CN of the certificate matches the name of
 the server Pidgen connected to.

-- 
Ticket URL: <http://developer.pidgin.im/ticket/3381>
Pidgin <http://pidgin.im>
Pidgin


More information about the Tracker mailing list