From kopete-devel Mon Nov 26 15:06:40 2007 From: Olivier Goffart Date: Mon, 26 Nov 2007 15:06:40 +0000 To: kopete-devel Subject: Re: [kopete-devel] Security of authentication schemes (for MITM Message-Id: <200711261606.44188.ogoffart () kde ! org> X-MARC-Message: https://marc.info/?l=kopete-devel&m=119612944821126 MIME-Version: 1 Content-Type: multipart/mixed; boundary="--===============1372714855==" --===============1372714855== Content-Type: multipart/signed; boundary="nextPart1901143.6TiCT9QllO"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit --nextPart1901143.6TiCT9QllO Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Le lundi 26 novembre 2007, Dizzy a =E9crit=A0: > Hello > > Lets assume that someone can sniff and modify and control all your Intern= et > traffic (say if you are using tor and such). I am interested to know what > is the security against such problems of authentication schemes used in > kopete for ICQ/AOL/YM/MSN/Jabber protocols. I understand this does not > depend much on kopete and alot of the protocol itself and also that the > conversations themselves may not be secure if not using an encryption for > the conversations too. However, I am only interested in the security of t= he > authentication (from the perspective, can the MITM find out my password or > enough information so she could login instead of me with my account?) > > My Jabber needs are for google talk and as I can see so far it uses SSL so > that should be covered at least. Also some good soul from freenode/#kope= te > said that MSN does use some kind of challenge based auth (so apparently > immune to MITM account takeover) so that should be solved too. What about > the rest? MSN authentication is done via HTTPS. We receive a cookie by connecting to https://passport.com we can use in the= =20 men protocol. The challenge is not used to auth or MITM prevention, this is more somethin= g=20 to prevent writing third party client (like Kopete), but fortunately, the=20 challenge has been cracked by reverse engineering of the official client. All the traffic (message, presence, ...) is sent as plain text, which mean= =20 that someone with wireshark can read all your messages. On Jabber, several way may be used for authentication. Usually, it's done b= y=20 sending an md5sum of the password + some salt. Most server support TLS, which mean that everything between the client and = the=20 server can be encrypted, including messages. But this require, in kopete, t= o=20 make sure to check the correct checkbox. But most of jabber TLS certificate are self signed. gtalk has probably a=20 signed certificate anyway. And http://xmpp.net is now signing jabber=20 certificate free of charge, but his certificate is not yet included in=20 Kopete. I don't know about others protocols. I hope this helps. =2D-=20 Olivier --nextPart1901143.6TiCT9QllO Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQBHSuEAz58lY8jWrL0RAhZUAJ9B/+ZF72WsaJ7SMtjkKZuJCoUeQwCdEviZ fENtGk/sQEyShwveDDAEA3c= =H+RE -----END PGP SIGNATURE----- --nextPart1901143.6TiCT9QllO-- --===============1372714855== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ kopete-devel mailing list kopete-devel@kde.org https://mail.kde.org/mailman/listinfo/kopete-devel --===============1372714855==--