On 2014-10-17 10:05, Daniel Atallah wrote:
On Fri, Oct 17, 2014 at 9:27 AM, Lois Janes <loistja...@mail.com
<mailto:loistja...@mail.com>> wrote:
Is Pidgin vulnerable to the POODLE SSLv3 vulnerability?
I know that Pidgin doesn't offer a way to disable SSLv3 support,
so I'm specifically interested in whether Pidgin is suseptible to
a TLS/SSL downgrade attack?
Does Pidgin retry failed connections with lower SSL/TLS protocol
versions?
Does Pidgin support TLS_FALLBACK_SCSV?
The answer to all these questions depends on which SSL/TLS (gnutls or
NSS) library you're using with pidgin and the configuration of that
library (which will depend on your OS).
Pidgin/libpurple itself has no direct interaction with the SSL/TLS
handshake process.
I'm not sure that it matters either way, POODLE not only requires a
downgrade to SSL 3, but it also requires the client to be cooperative in
sending very specific combinations of data over the same SSL 3 stream in
a repeatable, controllable (or at least predictable) fashion.
This is fairly trivial to accomplish in a browser with access to
Javascript, but unless pidgin can be compelled to send
third-party-server-submitted data over the SSL 3 encrypted stream, this
particular vulnerability probably can't be actively exploited. Most
other "x-over-SSL" protocols (SMTP, POP3, IMAP, etc) are not vulnerable
even if forced down to SSL 3.
Disabling SSL 3 is still a good idea, but this specific attack needs a
lot more pieces than just a connection that can be forced to SSL 3.
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren
_______________________________________________
Support@pidgin.im mailing list
Want to unsubscribe? Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support
