Security? Not even checking certs by default? Seriously?

What does that tell me about “strong security”?

Will neither use Spark again nor reccomend to anyone, thank you for trying.

Will stick around for discussion.

Best regards,

David

Yes. Please explain your concerns.

Alright. If I connect to the Jabber Server of my choice, I choose to have encryption enforced by my client software. If the Server does not support that, my client of choice does not connect.

So lets suppose someone screwed with DNS (or ARP or something else) in a way so that i connect to a server I did not intend to speak to.

Now if I send my credentials to that Server I did not intend to speak to they will know them, so for a classic man in the middle they have won. The best thing is, I might think I am protected because everything was encrypted. $INSERT_ADDITIONAL_POSSIBLE_FRAUD_HERE

If my client asked if I knew the cert given by the server (which I may know) and saves that, so if the cert changes, it (my client) could alert me of that situation so I would not send my credentials to fraudulent party.

I deeply hope that you knew beforehand what a MitM means to security/privacy.

Best regards,

David

I’m not a security expert (nor developer), but i know about the Man in the middle attack and dns spoofing. So, the problem is that Spark is not alerting when certificate of the server changes? I can file that in the bug tracker, though i’m afraid i can’t check this issue thoroughly. Someone more experienced would have to approve this. Not talking about fixing, because we lack for developers here. Openfire has security issues too, but there is just noone to fix all of them.

Yes, not asking if the certs change is part of the problem, but Spark must even ask the first time it connects if the cert is valid/known to the user.

How else should the (slightly paranoid/considerate) user determine if the connection is established with the right server in the first place?

Speaking about browsers, they usually don’t ask user for a confirmation if a cert is valid (date), known (authority from the trusted root) and if there is no difference in server name in cert and in reality. So maybe Spark should also check if it can find such autorithy in operating system trusted root (wonder about linux though) and if it can approve such cert itself, maybe it shouldn’t even ask.

Anyway, i will create a ticket, but as i said i doubt it will be completed anytime soon. Also, maybe this should be done on a Smack library side in the connection manager part too. So, feel free to use and advise some more secure client in the meantime.

SPARK-1203

Pidgin :confused:

Thank you for filing the bug.

As Spark 2.8 (and Smack 4) are now dropping the connection if the certificates are invalid, i have reworded the https://issues.igniterealtime.org/browse/SPARK-1203 ticket. Although, i do not agree on providing a dialog for correct certificates. Browsers do not do this. Of course, they provide the information about the certificate in the address bar, so maybe Spark needs such information somewhere too.