[Pidgin] #3381: XMPP TLS and (old) SSL man-in-the-middle attack

Pidgin trac at pidgin.im
Sun Aug 3 01:46:02 EDT 2008


#3381: XMPP TLS and (old) SSL man-in-the-middle attack
-------------------------+--------------------------------------------------
  Reporter:  bluefoxicy  |       Owner:  wehlhard
      Type:  defect      |      Status:  new     
  Priority:  minor       |   Milestone:          
 Component:  XMPP        |     Version:  2.2.0   
Resolution:              |    Keywords:          
   Pending:  0           |  
-------------------------+--------------------------------------------------
Old description:

> Pidgin's implementation of XMPP TLS and (old) SSL encryption is
> vulnerable to a man-in-the-middle attack.  A malicious user in a hotel or
> Internet café performing ARP spoofing can hijack a new XMPP connection
> and decrypt the data on the fly by replacing the certificate without any
> alert to the end user; a malicious user would need to write a plug-in to
> Ettercap to perform this attack.
>
> BACKGROUND
>
> I have a server which was originally called TestIN (Test IntraNet)
> running OpenFire XMPP server.  The TestIN server now resolves as 'jabber'
> on the local network, but uses a self-signed certificate for the domain
> 'testin.localnet' that was generated when the server was still ill-named.
>
> I have tested multiple Jabber/XMPP clients using both the Old SSL (5223)
> encryption and the new TLS encryption.  Viewing the traffic in Wireshark
> shows a short handshake followed by an encrypted session; authentication
> seems to not occur before the encrypted session begins.  This leads me to
> believe the server and client have negotiated encryption properly for any
> given session.
>
> I noticed with all clients that none of them alert me about the self-
> signed certificate, or about the certificate having a different common
> name than the name used to contact the server.  This non-alert creates
> the security problem described in this issue.
>
> SPECIFIC PROBLEMS
>
> The two specific behaviors here that Pidgin must adhere to include
> alerting on a self-signed TLS or SSL certificate, and alerting on a
> certificate for a different common name than the one given for the
> server.  If I connect to talk.google.com and get a certificate signed by
> itself, I may be under attack; similarly, I should not connect to
> talk.google.com and be presented with a certificate from
> www.boguswidgets.com (obtaining a CA signed SSL certificate for use in a
> replacement attack is trivial; obtaining it with the name of your target
> is not).
>
> RECOMMENDED SOLUTION
>
> Pidgin should alert the user that the certificate seems to not be
> completely secure on connect, and allow the user to abort before
> authentication (indeed, at the earliest sign of trouble).
>
> Pidgin should cache the certificate when a user successfully connects to
> a server, either by the certificate being proper or by the user accepting
> a self-signed or incorrect CN certificate.  If the user opts to not be
> alerted anymore for that specific certificate, Pidgin should be quiet
> about it until the certificate changes; else it should inform the user
> each time that the certificate it sees is the same as it was before.
>
> If a cached certificate changes, Pidgin should alert the user on the
> severity of the change.  If the actual public key does not change, but
> the common name, CA, or self signed status does (i.e. if a self-signed
> gets CA signed), then it should inform the user of this; else it should
> inform the user that the entire certificate has changed.  It can also
> inform the user that a simple self-signed to CA-signed transition makes
> the certificate more trustworthy, as long as the CN of the certificate
> matches the name of the server Pidgen connected to.

New description:

 Pidgin's implementation of XMPP TLS and (old) SSL encryption is vulnerable
 to a man-in-the-middle attack.  A malicious user in a hotel or Internet
 café performing ARP spoofing can hijack a new XMPP connection and decrypt
 the data on the fly by replacing the certificate without any alert to the
 end user; a malicious user would need to write a plug-in to Ettercap to
 perform this attack.

 BACKGROUND

 I have a server which was originally called TestIN (Test !IntraNet)
 running !OpenFire XMPP server.  The TestIN server now resolves as 'jabber'
 on the local network, but uses a self-signed certificate for the domain
 'testin.localnet' that was generated when the server was still ill-named.

 I have tested multiple Jabber/XMPP clients using both the Old SSL (5223)
 encryption and the new TLS encryption.  Viewing the traffic in Wireshark
 shows a short handshake followed by an encrypted session; authentication
 seems to not occur before the encrypted session begins.  This leads me to
 believe the server and client have negotiated encryption properly for any
 given session.

 I noticed with all clients that none of them alert me about the self-
 signed certificate, or about the certificate having a different common
 name than the name used to contact the server.  This non-alert creates the
 security problem described in this issue.

 SPECIFIC PROBLEMS

 The two specific behaviors here that Pidgin must adhere to include
 alerting on a self-signed TLS or SSL certificate, and alerting on a
 certificate for a different common name than the one given for the server.
 If I connect to talk.google.com and get a certificate signed by itself, I
 may be under attack; similarly, I should not connect to talk.google.com
 and be presented with a certificate from www.boguswidgets.com (obtaining a
 CA signed SSL certificate for use in a replacement attack is trivial;
 obtaining it with the name of your target is not).

 RECOMMENDED SOLUTION

 Pidgin should alert the user that the certificate seems to not be
 completely secure on connect, and allow the user to abort before
 authentication (indeed, at the earliest sign of trouble).

 Pidgin should cache the certificate when a user successfully connects to a
 server, either by the certificate being proper or by the user accepting a
 self-signed or incorrect CN certificate.  If the user opts to not be
 alerted anymore for that specific certificate, Pidgin should be quiet
 about it until the certificate changes; else it should inform the user
 each time that the certificate it sees is the same as it was before.

 If a cached certificate changes, Pidgin should alert the user on the
 severity of the change.  If the actual public key does not change, but the
 common name, CA, or self signed status does (i.e. if a self-signed gets CA
 signed), then it should inform the user of this; else it should inform the
 user that the entire certificate has changed.  It can also inform the user
 that a simple self-signed to CA-signed transition makes the certificate
 more trustworthy, as long as the CN of the certificate matches the name of
 the server Pidgin connected to.

Comment (by rekkanoryo):

 We will NOT be removing the NSS plugin.  GNUTLS isn't an option
 everywhere.

 Patches to implement certificate verification with the NSS plugin are
 welcome.

-- 
Ticket URL: <http://developer.pidgin.im/ticket/3381#comment:6>
Pidgin <http://pidgin.im>
Pidgin


More information about the Tracker mailing list