*** This bug is a security vulnerability *** Public security bug reported:
Binary package hint: pidgin It looks like this bug was reported in Launchpad some time ago, but for the wrong package. I'd love to see it fixed. Here's the original text: As per http://developer.pidgin.im/ticket/3381 the Pidgin IM client does not properly implement SSL and TLS, particularly components dealing with feedback to the end user. The client gives the end user no method of determining the validity of the certificate; in cases where a server presents invalid or self-signed certificates, Pidgin operates as normal. As a result, any man-in-the- middle attack can handshake with the server and with the client (using a fake certificate) and perform a decrypt-recrypt process to read the data-- including message text and plaintext passwords-- in plain text. No proof of concept for this specific attack exists. Those wishing to write one can create an Ettercap plug-in ** Affects: pidgin (Ubuntu) Importance: Undecided Status: New ** Visibility changed to: Public -- Pidgin XMPP TLS/SSL Man in the Middle attack https://bugs.launchpad.net/bugs/251304 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
