EFF’s Open Source Security Audit Uncovers Security Vulnerabilities in Messaging Software
Part one in a short series on EFF’s Open Source Security Audit
By Dan Auerbach and Chris Palmer
We recently did a security audit in which we uncovered and helped to fix vulnerabilities in the popular open source messaging clients Pidgin and Adium. We were motivated by our desire to bolster the security of cryptographic software that we often recommend to individuals and organizations as a defense against surveillance. In particular, one tool that we are enthusiastic about is the widely-used Off-The-Record (OTR) plugin for Pidgin and Adium.
Not to be confused with Google’s similarly named “Off The Record” chat, the plugin can be used with any popular instant messaging services enabled in Pidgin or Adium, including MSN, AIM, Yahoo!, and Google talk itself. OTR is an anti-surveillance tool used by people around the world, from activists in authoritarian regimes to business folk looking to communicate securely with clients to families who want a private conversation with a distant loved one. If you are using Pidgin to talk from a Google account and have the OTR plugin enabled, then nobody---including Google---is in a position to read your encrypted communications en route to the other party. Though there are other options available for encrypted messaging, we especially like OTR because it has many desirable features, and unlike other encryption, it's easy to use.
However, there is little value in having a nicely-conceived encryption tool if the implementations that people actually use are filled with security bugs! Therefore, we decided to do an audit to find and fix some of those bugs. We chose to focus our efforts on the libpurple messaging client library used by both Adium and Pidgin and some of the software that it depends on (notably GnuTLS and libxml2). Strengthening the security of these libraries is vital to ensuring that people have the option of truly private, encrypted communication at their fingertips. We found and fixed quite a few bugs, which you might be able to see now and in the coming weeks and months by looking for security updates (for example, look under the "libpurple" section here) within the various code bases. As always, we recommend immediately downloading any security updates for your software, especially if that software is being used to combat surveillance.
While we hope that the software libraries that we looked at are more secure now that potential vulnerabilities have been patched, ensuring effective security is an ongoing process. Given the crucial role played by this software as a platform for OTR and other encrypted messaging solutions, we hope that it will get the security attention that it deserves and continue to be reviewed regularly by the developers actively working on the projects as well as the community of users with an interest in encrypted communication. If you use Pidgin or Adium and would like to download OTR to protect yourself against surveillance, you can do so here.