|
Full Disclosure
mailing list archives
Miranda TLS MitM with XMPP/Jabber protocol
From: Jan Schejbal <jan.mailinglisten () googlemail com>
Date: Tue, 06 Apr 2010 03:04:42 +0200
The Miranda IM instant messaging software silently falls back to
unencrypted connections if a Jabber/XMPP server does not report that it
supports TLS, even if "Use TLS" is checked. This allows an active
attacker to perform MitM attacks on Jabber/XMPP connections which the
user assumes to be secure.
Proof of concept MitM server attached.
Miranda IM team was notified via bugtracker. Issue was closed without
being fixed, probably because of confusion with another, similar issue
(posted here before, seemingly unrelated configuration settings could
completely disable TLS, that one was fixed). I commented twice that this
bug is not fixed, but no response was seen.
Workaround: Use SSL.
Attachment:
mirandamitm.pl
Description:
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
- Miranda TLS MitM with XMPP/Jabber protocol Jan Schejbal (Apr 06)
|
