[guardian-dev] Smack SSL MiTM Vuln and ChatSecure beta fix

Nathan of Guardian nathan at guardianproject.info
Tue Aug 5 21:44:26 EDT 2014

On 08/05/2014 06:18 PM, Tom Ritter wrote:
> I didn't see any mention of the security fix in the blog post, but it
> is in the referenced APK?  Do you know when this bug was introduced or
> which versions of ChatSecure were vulnerable?

I wrote the blog post before the vulnerability was public, so I need to
update it now with more details. The fix is definitely included as part
of the 13.2.0-beta-1 tagged release.

As for as when the vulnerability was introduced, the vuln info page is
pretty clear about when it was introduced into Smack itself. However,
with ChatSecure, I am still sorting out the timeline and just trying to
determine how exposed we really are.

In fact, since we use a custom SSLContext, and only rely on
PinningTrustManger and MemorizingTrustManager, I think we may actually
not be as vulnerable as I thought:


sslContext = SSLContext.getInstance(SSLCONTEXT_TYPE);

                mTrustManager = getTrustManager ();

                SecureRandom mSecureRandom = new

                sslContext.init(null, new javax.net.ssl.TrustManager[] {
mTrustManager },



public synchronized X509TrustManager getTrustManager ()
        if (mTrustManager == null)
            PinningTrustManager trustPinning = new

            mTrustManager = new MemorizingTrustManager(aContext,


        return mTrustManager;

> -tom
> On 5 August 2014 15:59, Nathan of Guardian <nathan at guardianproject.info> wrote:
>> Thanks to Georg of Yaxim for his great work on this, both technically
>> and in coordinating with us.
>> https://op-co.de/CVE-2014-5075.html
>> "Smack is an Open Source XMPP (Jabber) client library for instant
>> messaging and presence written in Java. Smack prior to version 4.0.2 is
>> vulnerable to TLS Man-in-the-Middle attacks, as it fails to check if the
>> server certificate matches the hostname of the connection."
>> https://op-co.de/blog/posts/java_sslsocket_mitm/
>> Our fix for ChatSecure:Android
>> (https://github.com/guardianproject/ChatSecureAndroid/commit/3f150daded7461255b9d51bfc59ff91f8a77ed81)
>> is included in the new ChatSecure 13.2.0 beta out today, which is near
>> enough to stable, that we recommend an upgrade:
>> https://guardianproject.info/2014/08/05/chatsecure-13-2-important-beta-update/
>> +n
>> _______________________________________________
>> Guardian-dev mailing list
>> Post: Guardian-dev at lists.mayfirst.org
>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>> To Unsubscribe
>>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>>         Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/tom%40ritter.vg
>> You are subscribed as: tom at ritter.vg

More information about the Guardian-dev mailing list