Thanks, David. On Sat, Nov 6, 2010 at 4:01 PM, David Woolley <[email protected]> wrote: > Yonatan Amir wrote: >> >> This recent FireSheep business got me wondering - does Pidgin authenticate >> the MSN protocol with encryption? I use Pidgin on an unencrypted wireless >> network at school, and I'm worried about some bored individual capturing my >> credentials. I couldn't find any information that would be useful to me. > > Looking at some slightly dated source code, it seems to use the Windows Live > ID authentication protocol, which may well be dictated by Microsoft. This > seems to at least use hashing. I didn't notice any session key negotiation, > so I would suspect that is is vulnerable to dictionary attacks, so you > should choose a strong password. > > This is based on looking at the code for not much more than 5 minutes, so > there might be stronger encryption that I have missed. > > -- > David Woolley > Emails are not formal business letters, whatever businesses may want. > RFC1855 says there should be an address here, but, in a world of spam, > that is no longer good advice, as archive address hiding may not work. >
_______________________________________________ [email protected] mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
