[guardian-dev] Smack SSL MiTM Vuln and ChatSecure beta fix
Nathan of Guardian
nathan at guardianproject.info
Tue Aug 5 21:44:26 EDT 2014
On 08/05/2014 06:18 PM, Tom Ritter wrote:
> I didn't see any mention of the security fix in the blog post, but it
> is in the referenced APK? Do you know when this bug was introduced or
> which versions of ChatSecure were vulnerable?
I wrote the blog post before the vulnerability was public, so I need to
update it now with more details. The fix is definitely included as part
of the 13.2.0-beta-1 tagged release.
As for as when the vulnerability was introduced, the vuln info page is
pretty clear about when it was introduced into Smack itself. However,
with ChatSecure, I am still sorting out the timeline and just trying to
determine how exposed we really are.
In fact, since we use a custom SSLContext, and only rely on
PinningTrustManger and MemorizingTrustManager, I think we may actually
not be as vulnerable as I thought:
https://github.com/guardianproject/ChatSecureAndroid/blob/master/src/info/guardianproject/otr/app/im/plugin/xmpp/XmppConnection.java#L1139
sslContext = SSLContext.getInstance(SSLCONTEXT_TYPE);
mTrustManager = getTrustManager ();
SecureRandom mSecureRandom = new
java.security.SecureRandom();
sslContext.init(null, new javax.net.ssl.TrustManager[] {
mTrustManager },
mSecureRandom);
sslContext.getDefaultSSLParameters().setCipherSuites(XMPPCertPins.SSL_IDEAL_CIPHER_SUITES);
https://github.com/guardianproject/ChatSecureAndroid/blob/master/src/info/guardianproject/otr/app/im/plugin/xmpp/XmppConnection.java#L1415
public synchronized X509TrustManager getTrustManager ()
{
if (mTrustManager == null)
{
PinningTrustManager trustPinning = new
PinningTrustManager(SystemKeyStore.getInstance(aContext),XMPPCertPins.getPinList(),
0);
mTrustManager = new MemorizingTrustManager(aContext,
trustPinning);
}
return mTrustManager;
}
> -tom
>
> On 5 August 2014 15:59, Nathan of Guardian <nathan at guardianproject.info> wrote:
>>
>> Thanks to Georg of Yaxim for his great work on this, both technically
>> and in coordinating with us.
>>
>> https://op-co.de/CVE-2014-5075.html
>>
>> "Smack is an Open Source XMPP (Jabber) client library for instant
>> messaging and presence written in Java. Smack prior to version 4.0.2 is
>> vulnerable to TLS Man-in-the-Middle attacks, as it fails to check if the
>> server certificate matches the hostname of the connection."
>>
>> https://op-co.de/blog/posts/java_sslsocket_mitm/
>>
>> Our fix for ChatSecure:Android
>> (https://github.com/guardianproject/ChatSecureAndroid/commit/3f150daded7461255b9d51bfc59ff91f8a77ed81)
>> is included in the new ChatSecure 13.2.0 beta out today, which is near
>> enough to stable, that we recommend an upgrade:
>>
>> https://guardianproject.info/2014/08/05/chatsecure-13-2-important-beta-update/
>>
>> +n
>>
>>
>>
>> _______________________________________________
>> Guardian-dev mailing list
>>
>> Post: Guardian-dev at lists.mayfirst.org
>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>
>> To Unsubscribe
>> Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org
>> Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/tom%40ritter.vg
>>
>> You are subscribed as: tom at ritter.vg
>>
More information about the Guardian-dev
mailing list