[prev in list] [next in list] [prev in thread] [next in thread]
List: kopete-devel
Subject: Re: [kopete-devel] Security of authentication schemes (for MITM
From: Olivier Goffart <ogoffart () kde ! org>
Date: 2007-11-26 15:06:40
Message-ID: 200711261606.44188.ogoffart () kde ! org
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Le lundi 26 novembre 2007, Dizzy a écrit :
> Hello
>
> Lets assume that someone can sniff and modify and control all your Internet
> traffic (say if you are using tor and such). I am interested to know what
> is the security against such problems of authentication schemes used in
> kopete for ICQ/AOL/YM/MSN/Jabber protocols. I understand this does not
> depend much on kopete and alot of the protocol itself and also that the
> conversations themselves may not be secure if not using an encryption for
> the conversations too. However, I am only interested in the security of the
> authentication (from the perspective, can the MITM find out my password or
> enough information so she could login instead of me with my account?)
>
> My Jabber needs are for google talk and as I can see so far it uses SSL so
> that should be covered at least. Also some good soul from freenode/#kopete
> said that MSN does use some kind of challenge based auth (so apparently
> immune to MITM account takeover) so that should be solved too. What about
> the rest?
MSN authentication is done via HTTPS.
We receive a cookie by connecting to https://passport.com we can use in the
men protocol.
The challenge is not used to auth or MITM prevention, this is more something
to prevent writing third party client (like Kopete), but fortunately, the
challenge has been cracked by reverse engineering of the official client.
All the traffic (message, presence, ...) is sent as plain text, which mean
that someone with wireshark can read all your messages.
On Jabber, several way may be used for authentication. Usually, it's done by
sending an md5sum of the password + some salt.
Most server support TLS, which mean that everything between the client and the
server can be encrypted, including messages. But this require, in kopete, to
make sure to check the correct checkbox.
But most of jabber TLS certificate are self signed. gtalk has probably a
signed certificate anyway. And http://xmpp.net is now signing jabber
certificate free of charge, but his certificate is not yet included in
Kopete.
I don't know about others protocols.
I hope this helps.
--
Olivier
["signature.asc" (application/pgp-signature)]
_______________________________________________
kopete-devel mailing list
kopete-devel@kde.org
https://mail.kde.org/mailman/listinfo/kopete-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic