[Pidgin] #11110: Pidgin appears to leak DNS for Jabber accounts
Pidgin
trac at pidgin.im
Fri Apr 15 15:38:50 EDT 2011
#11110: Pidgin appears to leak DNS for Jabber accounts
----------------------------------------+-----------------------------------
Reporter: ioerror | Owner: deryni
Type: defect | Status: new
Milestone: Implementation In Progress | Component: XMPP
Version: | Resolution:
Keywords: jabber security privacy |
----------------------------------------+-----------------------------------
Comment(by datallah):
Replying to [comment:25 ioerror]:
> Replying to [comment:24 datallah]:
> > Right, your patch does what you want for your particular situation,
but it isn't going to be an acceptable thing to do in libpurple by default
- in most proxy cases, the right thing to do *is* going to be the SRV
lookup.
>
> Hrm - how are you deciding that? Isn't this bug report a record of a
bunch of users asking that this dangerous default behavior be changed? And
also that they're surprised by this default behavior?
The vast majority of proxy usage isn't by people looking for "anonymity" -
it is people with a restricted network network of some variety (frequently
a corporate network) and they need to use a proxy (usually provided by the
network administrator) to be able to access external resources.
Most people don't care that their ISP can see what they attempt to connect
to. If e.g. GTalk (or many other XMPP services) didn't work out of the
box because we didn't do SRV lookups, there would be a orders of magnitude
more people complaining about that - there are already are lots of people
who seek support because they use a broken DNS server that doesn't do SRV.
> > The proposed plugin solution will bypass SRV/TXT lookups and make it
seem to the code that initiates the lookup that no results were returned.
If implemented correctly, it should have the same effect as changing the
code like you're doing, but will apply to all places where the dns
requests are made.
>
> Will this plugin be enabled by default when you use a proxy? If not,
pidgin will leak information to the network that allows an attacker to
violate client privacy and reroute client destination traffic. If so - why
implement it as a plugin?
No, of course it won't be enabled by default. It isn't even clear that
the plugin would be distributed with Pidgin at all (it could be though).
It would be a plugin because it's hack - you'd be (intentionally)
crippling libpurple.
> I admit, I'm new to pidgin internals, so I'm really not sure of why
you'd make this choice over another. The idea of having it apply
everywhere is a much better solution, I agree - I'm actually undertaking
an audit of each protocol (
https://trac.torproject.org/projects/tor/ticket/2918 ) that we want to
support in TIMBB. None the less - I'm confused how normal users using a
normal pidgin proxy setting will be protected from DNS leaking security
and privacy issues?
This plugin would be something that presumably you would ship with your
"TIMBB" (I'm not sure that that actually is anyway) and could be enabled
by default in that setup.
> Perhaps it would make sense to have a preference where we "allow DNS
requests to bypass proxy settings" in the proxy dialog? And perhaps that
would be implemented by a plugin that is enabled by default unless you
check that box?
If it was a checkbox, in the preferences, then it likely wouldn't be a
plugin.
I think that the biggest confusion here is that you're assuming that
"proxy" == "anonymizing proxy".
I would certainly agree that there should be a way to use Pidgin in such a
way that doesn't leak information for those who want to use it with
something like Tor and can follow instructions on how to set it up
correctly, but it shouldn't be at the cost of support for the more common
use cases.
--
Ticket URL: <http://developer.pidgin.im/ticket/11110#comment:26>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list