September 22, 2011 | By

EFF’s Open Source Security Audit Uncovers Security Vulnerabilities in Messaging Software

Part one in a short series on EFF’s Open Source Security Audit

By Dan Auerbach and Chris Palmer

We recently did a security audit in which we uncovered and helped to fix vulnerabilities in the popular open source messaging clients Pidgin and Adium. We were motivated by our desire to bolster the security of cryptographic software that we often recommend to individuals and organizations as a defense against surveillance. In particular, one tool that we are enthusiastic about is the widely-used Off-The-Record (OTR) plugin for Pidgin and Adium.

Not to be confused with Google’s similarly named “Off The Record” chat, the plugin can be used with any popular instant messaging services enabled in Pidgin or Adium, including MSN, AIM, Yahoo!, and Google talk itself. OTR is an anti-surveillance tool used by people around the world, from activists in authoritarian regimes to business folk looking to communicate securely with clients to families who want a private conversation with a distant loved one. If you are using Pidgin to talk from a Google account and have the OTR plugin enabled, then nobody---including Google---is in a position to read your encrypted communications en route to the other party. Though there are other options available for encrypted messaging, we especially like OTR because it has many desirable features, and unlike other encryption, it's easy to use.

However, there is little value in having a nicely-conceived encryption tool if the implementations that people actually use are filled with security bugs! Therefore, we decided to do an audit to find and fix some of those bugs. We chose to focus our efforts on the libpurple messaging client library used by both Adium and Pidgin and some of the software that it depends on (notably GnuTLS and libxml2). Strengthening the security of these libraries is vital to ensuring that people have the option of truly private, encrypted communication at their fingertips. We found and fixed quite a few bugs, which you might be able to see now and in the coming weeks and months by looking for security updates (for example, look under the "libpurple" section here) within the various code bases. As always, we recommend immediately downloading any security updates for your software, especially if that software is being used to combat surveillance.

While we hope that the software libraries that we looked at are more secure now that potential vulnerabilities have been patched, ensuring effective security is an ongoing process. Given the crucial role played by this software as a platform for OTR and other encrypted messaging solutions, we hope that it will get the security attention that it deserves and continue to be reviewed regularly by the developers actively working on the projects as well as the community of users with an interest in encrypted communication. If you use Pidgin or Adium and would like to download OTR to protect yourself against surveillance, you can do so here.


Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

Illinois drone task force would have 22 members, mostly cops and industry reps, but not a single privacy advocate https://eff.org/r.6isf

Jun 29 @ 3:53pm

The Supreme Court's refusal to hear the API copyright case Oracle v. Google could be bad news for interoperability https://eff.org/r.68fa

Jun 29 @ 2:33pm

Do you want to fight for the user? EFF has a position open on our activism team: https://eff.org/r.6u3s

Jun 29 @ 1:56pm
JavaScript license information