[Pidgin] #11110: Pidgin appears to leak DNS for Jabber accounts

Pidgin trac at pidgin.im
Fri Apr 15 15:53:07 EDT 2011 

#11110: Pidgin appears to leak DNS for Jabber accounts
----------------------------------------+-----------------------------------
 Reporter:  ioerror                     |        Owner:  deryni
     Type:  defect                      |       Status:  new   
Milestone:  Implementation In Progress  |    Component:  XMPP  
  Version:                              |   Resolution:        
 Keywords:  jabber security privacy     |  
----------------------------------------+-----------------------------------

Comment(by ioerror):

 Replying to [comment:26 datallah]:
 > Replying to [comment:25 ioerror]:
 > > Replying to [comment:24 datallah]:
 > > > Right, your patch does what you want for your particular situation,
 but it isn't going to be an acceptable thing to do in libpurple by default
 - in most proxy cases, the right thing to do *is* going to be the SRV
 lookup.
 > >
 > > Hrm - how are you deciding that? Isn't this bug report a record of a
 bunch of users asking that this dangerous default behavior be changed? And
 also that they're surprised by this default behavior?
 >
 > The vast majority of proxy usage isn't by people looking for "anonymity"
 - it is people with a restricted network network of some variety
 (frequently a corporate network) and they need to use a proxy (usually
 provided by the network administrator) to be able to access external
 resources.
 >

 Right and often this includes local DNS filtering, monitoring or even
 simply a mis-functioning DNS resolver of some kind.

 > Most people don't care that their ISP can see what they attempt to
 connect to.  If e.g. GTalk (or many other XMPP services) didn't work out
 of the box because we didn't do SRV lookups, there would be a orders of
 magnitude more people complaining about that - there are already are lots
 of people who seek support because they use a broken DNS server that
 doesn't do SRV.
 >

 This is an odd one - you guys already fixed *some* of these issues. My fix
 only impacts people who add a proxy, so it's actually not a perfect fix
 but it should not impact anyone by default. How many users even set
 proxies? Are the people who set proxies really unwilling to learn that
 their proxies reduce functionality? How has that been determined?

 > > > The proposed plugin solution will bypass SRV/TXT lookups and make it
 seem to the code that initiates the lookup that no results were returned.
 If implemented correctly, it should have the same effect as changing the
 code like you're doing, but will apply to all places where the dns
 requests are made.
 > >
 > > Will this plugin be enabled by default when you use a proxy? If not,
 pidgin will leak information to the network that allows an attacker to
 violate client privacy and reroute client destination traffic. If so - why
 implement it as a plugin?
 >
 > No, of course it won't be enabled by default.  It isn't even clear that
 the plugin would be distributed with Pidgin at all (it could be though).
 It would be a plugin because it's hack - you'd be (intentionally)
 crippling libpurple.
 >

 Well, I would say that currently there is a security and privacy problem
 in libpurple. So regardless of how we find a solution, currently libpurple
 isn't suitable for anyone who needs to use pidgin for circumvention (Tor,
 OpenSSH) or anonymity (Tor) or simply as a way to securely forward at
 conferences (OpenSSH or other SOCKS proxies).

 > > I admit, I'm new to pidgin internals, so I'm really not sure of why
 you'd make this choice over another. The idea of having it apply
 everywhere is a much better solution, I agree - I'm actually undertaking
 an audit of each protocol  (
 https://trac.torproject.org/projects/tor/ticket/2918 ) that we want to
 support in TIMBB. None the less - I'm confused how normal users using a
 normal pidgin proxy setting will be protected from DNS leaking security
 and privacy issues?
 >
 > This plugin would be something that presumably you would ship with your
 "TIMBB" (I'm not sure that that actually is anyway) and could be enabled
 by default in that setup.
 >

 Oh, sorry. Tor IM Browser Bundle. It's a totally configured IM/Browser
 setup that uses Tor.

 > > Perhaps it would make sense to have a preference where we "allow DNS
 requests to bypass proxy settings" in the proxy dialog? And perhaps that
 would be implemented by a plugin that is enabled by default unless you
 check that box?
 >
 > If it was a checkbox, in the preferences, then it likely wouldn't be a
 plugin.
 >

 Ok. Would you be interested in a checkbox?

 > I think that the biggest confusion here is that you're assuming that
 "proxy" == "anonymizing proxy".

 I'm not assuming anonymizing proxy. I'm assuming that when a user says
 they wish to proxy their traffic relating to an account, they proxy the
 traffic related to that account. All of it. If you're using an SSH tunnel,
 it isn't about anonymity, it may just be about the local network being
 unsafe. Think Firesheep or dsniff, etc.

 > I would certainly agree that there should be a way to use Pidgin in such
 a way that doesn't leak information for those who want to use it with
 something like Tor and can follow instructions on how to set it up
 correctly, but it shouldn't be at the cost of support for the more common
 use cases.

 Great. My main concern is that it should not be an add on that no one will
 use or an option that is disabled by default in an already advanced tab.

 I think a DNS related checkbox in the proxy widget might make sense over a
 plugin.

-- 
Ticket URL: <http://developer.pidgin.im/ticket/11110#comment:27>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list