Le lundi 26 novembre 2007, Dizzy a écrit : > Hello > > Lets assume that someone can sniff and modify and control all your Internet > traffic (say if you are using tor and such). I am interested to know what > is the security against such problems of authentication schemes used in > kopete for ICQ/AOL/YM/MSN/Jabber protocols. I understand this does not > depend much on kopete and alot of the protocol itself and also that the > conversations themselves may not be secure if not using an encryption for > the conversations too. However, I am only interested in the security of the > authentication (from the perspective, can the MITM find out my password or > enough information so she could login instead of me with my account?) > > My Jabber needs are for google talk and as I can see so far it uses SSL so > that should be covered at least. Also some good soul from freenode/#kopete > said that MSN does use some kind of challenge based auth (so apparently > immune to MITM account takeover) so that should be solved too. What about > the rest?
MSN authentication is done via HTTPS. We receive a cookie by connecting to https://passport.com we can use in the men protocol. The challenge is not used to auth or MITM prevention, this is more something to prevent writing third party client (like Kopete), but fortunately, the challenge has been cracked by reverse engineering of the official client. All the traffic (message, presence, ...) is sent as plain text, which mean that someone with wireshark can read all your messages. On Jabber, several way may be used for authentication. Usually, it's done by sending an md5sum of the password + some salt. Most server support TLS, which mean that everything between the client and the server can be encrypted, including messages. But this require, in kopete, to make sure to check the correct checkbox. But most of jabber TLS certificate are self signed. gtalk has probably a signed certificate anyway. And http://xmpp.net is now signing jabber certificate free of charge, but his certificate is not yet included in Kopete. I don't know about others protocols. I hope this helps. -- Olivier
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ kopete-devel mailing list [email protected] https://mail.kde.org/mailman/listinfo/kopete-devel
