Public bug reported: Binary package hint: at
As per http://developer.pidgin.im/ticket/3381 the Pidgin IM client does not properly implement SSL and TLS, particularly components dealing with feedback to the end user. The client gives the end user no method of determining the validity of the certificate; in cases where a server presents invalid or self-signed certificates, Pidgin operates as normal. As a result, any man-in-the- middle attack can handshake with the server and with the client (using a fake certificate) and perform a decrypt-recrypt process to read the data-- including message text and plaintext passwords-- in plain text. No proof of concept for this specific attack exists. Those wishing to write one can create an Ettercap plug-in ** Affects: at (Ubuntu) Importance: Undecided Status: New -- [security] Pidgin XMPP TLS/SSL Man in the Middle attack https://bugs.launchpad.net/bugs/151613 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
