On 08/05/2014 06:18 PM, Tom Ritter wrote: > I didn't see any mention of the security fix in the blog post, but it > is in the referenced APK? Do you know when this bug was introduced or > which versions of ChatSecure were vulnerable?
I wrote the blog post before the vulnerability was public, so I need to update it now with more details. The fix is definitely included as part of the 13.2.0-beta-1 tagged release. As for as when the vulnerability was introduced, the vuln info page is pretty clear about when it was introduced into Smack itself. However, with ChatSecure, I am still sorting out the timeline and just trying to determine how exposed we really are. In fact, since we use a custom SSLContext, and only rely on PinningTrustManger and MemorizingTrustManager, I think we may actually not be as vulnerable as I thought: https://github.com/guardianproject/ChatSecureAndroid/blob/master/src/info/guardianproject/otr/app/im/plugin/xmpp/XmppConnection.java#L1139 sslContext = SSLContext.getInstance(SSLCONTEXT_TYPE); mTrustManager = getTrustManager (); SecureRandom mSecureRandom = new java.security.SecureRandom(); sslContext.init(null, new javax.net.ssl.TrustManager[] { mTrustManager }, mSecureRandom); sslContext.getDefaultSSLParameters().setCipherSuites(XMPPCertPins.SSL_IDEAL_CIPHER_SUITES); https://github.com/guardianproject/ChatSecureAndroid/blob/master/src/info/guardianproject/otr/app/im/plugin/xmpp/XmppConnection.java#L1415 public synchronized X509TrustManager getTrustManager () { if (mTrustManager == null) { PinningTrustManager trustPinning = new PinningTrustManager(SystemKeyStore.getInstance(aContext),XMPPCertPins.getPinList(), 0); mTrustManager = new MemorizingTrustManager(aContext, trustPinning); } return mTrustManager; } > -tom > > On 5 August 2014 15:59, Nathan of Guardian <[email protected]> > wrote: >> >> Thanks to Georg of Yaxim for his great work on this, both technically >> and in coordinating with us. >> >> https://op-co.de/CVE-2014-5075.html >> >> "Smack is an Open Source XMPP (Jabber) client library for instant >> messaging and presence written in Java. Smack prior to version 4.0.2 is >> vulnerable to TLS Man-in-the-Middle attacks, as it fails to check if the >> server certificate matches the hostname of the connection." >> >> https://op-co.de/blog/posts/java_sslsocket_mitm/ >> >> Our fix for ChatSecure:Android >> (https://github.com/guardianproject/ChatSecureAndroid/commit/3f150daded7461255b9d51bfc59ff91f8a77ed81) >> is included in the new ChatSecure 13.2.0 beta out today, which is near >> enough to stable, that we recommend an upgrade: >> >> https://guardianproject.info/2014/08/05/chatsecure-13-2-important-beta-update/ >> >> +n >> >> >> >> _______________________________________________ >> Guardian-dev mailing list >> >> Post: [email protected] >> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev >> >> To Unsubscribe >> Send email to: [email protected] >> Or visit: >> https://lists.mayfirst.org/mailman/options/guardian-dev/tom%40ritter.vg >> >> You are subscribed as: [email protected] >> _______________________________________________ Guardian-dev mailing list Post: [email protected] List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To Unsubscribe Send email to: [email protected] Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/archive%40mail-archive.com You are subscribed as: [email protected]
