On 5/23/2012 1:37 PM, David Woolley wrote:
Ahmed Rambarran wrote:
Is there a way to create a custom pidgin package that includes IM
communication for AOL, Yahoo, & MSN only where all the mentioned IM
channels get routed to an internal server? We are currently logging
IM conversations but users who have Pidgin installed on their machine
seem to bypass this feature. Please let me know if anyone has done
this before.
Please remind me to avoid those services if I'm sending anything
sensitive! Are they really that vulnerable to a man in the middle
attack, or are you using special remote clients, with the real IM
client on your server?
They're really that vulnerable, or were a couple years ago when I was
using a transparent proxy to monitor and log traffic.
They either didn't use encryption at all or failed to validate
certificates such that they were trivial to MITM. I don't recall which
as the tool we used was off the shelf and not something we needed to
construct ourselves.
Obviously anyone who cares about security should use IM services that
they control, and that are properly encrypted (*cough*XMPP+SSL*cough*)
although even then, you need to be careful because iPhone/Android
clients will use a third party service (essentially a "bouncer") to
maintain a connection to the server when the client software
disconnects, which is very convenient, but potentially opens yet another
backdoor.
Limiting IM to within corporate boundaries is a potential option, but
being able to communicate securely from outside the corporate network
can be invaluable (and a lot safer than using SMS)
Either that, or just assume that, like email, unless you know otherwise,
IMs should be treated with the sensitivity and security of a postcard.
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren
_______________________________________________
[email protected] mailing list
Want to unsubscribe? Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support
