Sniff & Read messages

zulu · January 19, 2007, 11:55pm

Hi all. I have wildfire 3.1.0 installed. Clients can only connect to the server using secured connections. But, one of my clients wrote his own sniffer for jabber. He gave video about server hacking. See it here http://rapidshare.com/files/12471562/-jabber.avi.html

How to protect from this?

Gaston_Dombiak · January 20, 2007, 12:38am

Hey zulu,

I watched the video but it is not clear to me what you are doing (i.e. how you are hacking the connection). Could you describe what you are doing?

Thanks,

– Gato

zulu · January 20, 2007, 9:34am

Hm… Thats not me, someone other sniff jabber sessions and show me this video. I cant describe what I do, because I do nothing

zulu · January 20, 2007, 12:42pm

May be I don’'t understand something… But I thought that all traffic from server to client was encrypted. Or may I wrong and encrypted only autorization process?

zulu · January 22, 2007, 11:56am

When in Pandion I select to use TLS, connection going on port 5222, if SSL - 5223. Thats normal or not?

Message was edited by: zulu

Brian_Biales · January 22, 2007, 1:40pm

That is normal. It negotiates the encryption on the 5222 port.

LG1 · January 22, 2007, 11:13pm

Hi zulu,

the video is silly. At 0:37 one can see that the client did display a secure connection (closed lock next to nick name).

At 1:34 when the “hacker” is successful no lock is displayed, and one can see the plaintext messages also in the scrolling window - so that’'s not a hack.

It seems that the small program does also send a RST or something else to terminate the existing TLS connection and then filters the starttls message so one can not create a TLS encrypted session.

As he has full control of his own computer he can install a hook which sniffs and modifies network packets - this is lame.

==> So Jivesoftware (and other jabber client vendors) should really add a “require TLS” option in Spark (jabber clients), better no connection than an unencrypted one.

LG

Darren_Sykes · January 23, 2007, 1:23pm

Couldn’'t you just configure Wildfire to require secure client connections?

At which point, the app of his would terminate the session and Spark wouldn’'t be able to reconnect until it stopped filtering the traffic to prevent an SSL connection.

LG1 · January 23, 2007, 2:08pm

Hi DJ,

a very good point and a very easy slution if one is the server administrator.

As one may use Spark to connect to random servers this is not really an option for normal users.

LG

zulu · January 24, 2007, 6:17pm

it2000 thanks, you right. I think that problem solved.

But if somebody can drop connection this not good.

LG1 · January 24, 2007, 6:40pm

Hi zulu,

as he can break only the connection of his client it does not matter. He could also shutdown and restart the client as he needs administrative rights on his computer to do this.

LG