[Pidgin] #11110: Pidgin appears to leak DNS for Jabber accounts

Pidgin trac at pidgin.im
Fri Apr 15 16:42:18 EDT 2011 

#11110: Pidgin appears to leak DNS for Jabber accounts
----------------------------------------+-----------------------------------
 Reporter:  ioerror                     |        Owner:  deryni
     Type:  defect                      |       Status:  new   
Milestone:  Implementation In Progress  |    Component:  XMPP  
  Version:                              |   Resolution:        
 Keywords:  jabber security privacy     |  
----------------------------------------+-----------------------------------

Comment(by datallah):

 Replying to [comment:27 ioerror]:
 > Replying to [comment:26 datallah]:
 > > Replying to [comment:25 ioerror]:
 > > > Replying to [comment:24 datallah]:
 > > > > Right, your patch does what you want for your particular
 situation, but it isn't going to be an acceptable thing to do in libpurple
 by default - in most proxy cases, the right thing to do *is* going to be
 the SRV lookup.
 > > >
 > > > Hrm - how are you deciding that? Isn't this bug report a record of a
 bunch of users asking that this dangerous default behavior be changed? And
 also that they're surprised by this default behavior?
 > >
 > > The vast majority of proxy usage isn't by people looking for
 "anonymity" - it is people with a restricted network network of some
 variety (frequently a corporate network) and they need to use a proxy
 (usually provided by the network administrator) to be able to access
 external resources.
 > >
 >
 > Right and often this includes local DNS filtering, monitoring or even
 simply a mis-functioning DNS resolver of some kind.

 Yes, but let's not confuse issues here - this ticket is about avoiding DNS
 leaks for people who want to use a proxy to avoid exposing information to
 others who might be able to see it if it used their network directly.

 > > Most people don't care that their ISP can see what they attempt to
 connect to.  If e.g. GTalk (or many other XMPP services) didn't work out
 of the box because we didn't do SRV lookups, there would be a orders of
 magnitude more people complaining about that - there are already are lots
 of people who seek support because they use a broken DNS server that
 doesn't do SRV.
 > >
 >
 > This is an odd one - you guys already fixed *some* of these issues. My
 fix only impacts people who add a proxy, so it's actually not a perfect
 fix but it should not impact anyone by default. How many users even set
 proxies? Are the people who set proxies really unwilling to learn that
 their proxies reduce functionality? How has that been determined?

 We fixed situations where we were doing DNS lookups in ways that couldn't
 be avoided and there was a fully correct non-breaking solution.

 We don't collect any sort of usage statistics, so we can only speculate
 based on the types of tickets we see and interactions with users.

 One assumption that I believe that we have to start off with is that if
 possible, it should *just work*.  If someone wants "privacy", they need to
 do appropriate research and take appropriate steps to configure their
 system appropriately - if you really care, you need to do what it takes to
 happen and not make assumptions.


 > Well, I would say that currently there is a security and privacy problem
 in libpurple. So regardless of how we find a solution, currently libpurple
 isn't suitable for anyone who needs to use pidgin for circumvention (Tor,
 OpenSSH) or anonymity (Tor) or simply as a way to securely forward at
 conferences (OpenSSH or other SOCKS proxies).

 Ok.

 >
 > > > Perhaps it would make sense to have a preference where we "allow DNS
 requests to bypass proxy settings" in the proxy dialog? And perhaps that
 would be implemented by a plugin that is enabled by default unless you
 check that box?
 > >
 > > If it was a checkbox, in the preferences, then it likely wouldn't be a
 plugin.
 > >
 >
 > Ok. Would you be interested in a checkbox?

 Perhaps.  We tend to avoid adding additional complexity and preferences to
 the core, but this might be something that arguably could be warranted.

 > > I think that the biggest confusion here is that you're assuming that
 "proxy" == "anonymizing proxy".
 >
 > I'm not assuming anonymizing proxy. I'm assuming that when a user says
 they wish to proxy their traffic relating to an account, they proxy the
 traffic related to that account. All of it. If you're using an SSH tunnel,
 it isn't about anonymity, it may just be about the local network being
 unsafe. Think Firesheep or dsniff, etc.

 I still think you're making an incorrect (for the most common proxy usage)
 assumption.  Most people use a proxy because they need to - their
 restricted network just wont allow them to connect if they don't use
 proxy;  they just want it to work, they don't care if a stray DNS request
 doesn't go through the proxy if it causes their Google Talk account to
 connect.

 Sure, there are lots of valid reasons that someone would want to avoid
 using their local network's DNS, but only a tiny proportion of users will
 care - I'd bet that most people who use proxies don't even know what a
 proxy really is apart from a setting they need to set so stuff will work.

 All that said, I'm all for making it possible for the minority of people
 who want/need to do this for privacy/security reasons (I don't dispute
 that there are perfectly valid reasons to want to do this), I just want to
 make sure that we keep the context of the overall usage and other targeted
 use cases in mind.

-- 
Ticket URL: <http://developer.pidgin.im/ticket/11110#comment:28>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list