We recently did a security audit in which we uncovered and helped to fix vulnerabilities in the popular open source messaging clients Pidgin and Adium. We were motivated by our desire to bolster the security of cryptographic software that we often recommend to individuals and organizations as a defense against surveillance. In particular, one tool that we are enthusiastic about is the widely-used Off-The-Record (OTR) plugin for Pidgin and Adium.
Not to be confused with Google?s similarly named ?Off The Record? chat, the plugin can be used with any popular instant messaging services enabled in Pidgin or Adium, including MSN, AIM, Yahoo!, and Google talk itself. OTR is an anti-surveillance tool used by people around the world, from activists in authoritarian regimes to business folk looking to communicate securely with clients to families who want a private conversation with a distant loved one. If you are using Pidgin to talk from a Google account and have the OTR plugin enabled, then nobody---including Google---is in a position to read your encrypted communications en route to the other party. Though there are other options available for encrypted messaging, we especially like OTR because it has many desirable features, and unlike other encryption, it's easy to use.
However, there is little value in having a nicely-conceived encryption tool if the implementations that people actually use are filled with security bugs! Therefore, we decided to do an audit to find and fix some of those bugs. We chose to focus our efforts on the libpurple messaging client library used by both Adium and Pidgin and some of the software that it depends on (notably GnuTLS and libxml2). Strengthening the security of these libraries is vital to ensuring that people have the option of truly private, encrypted communication at their fingertips. We found and fixed quite a few bugs, which you might be able to see now and in the coming weeks and months by looking for security updates (for example, look under the "libpurple" section here) within the various code bases. As always, we recommend immediately downloading any security updates for your software, especially if that software is being used to combat surveillance.
Hiç yorum yok:
Yorum Gönder