[tor-dev] Attentive Otter: Analysis of libpurple

Thijs Alkemade me at thijsalkema.de
Mon Oct 7 00:34:12 UTC 2013 

Hello!

Here is the analysis of libpurple/Pidgin as a candidate for the Attentive Otter project, written by DrWhax and me.

Best regards,
Thijs (xnyhps)

-----

## Intro

Pidgin is an IM client written in C using a GTK+ UI. libpurple is the library used by Pidgin as an abstraction for the different network protocols Pidgin supports. libpurple comes with a number of plugins ("prpls") for the various chat networks it supports.

Other UIs using libpurple include Adium (Cocoa), Finch (GNT) and Quail (Qt, in development).

## Release a secure, portable chat program

### Secure

Number of security advisories published on https://pidgin.im/news/security/ since 2005-06-10:

* libpurple: 6
* nss plugin: 1
* Pidgin: 3
* prpl-gg: 1
* prpl-irc: 2
* prpl-jabber: 7
* prpl-msn: 15
* prpl-mxit: 3
* prpl-oscar (AIM/ICQ): 6
* prpl-qq: (no longer supported) 1
* prpl-sametime: 1
* prpl-silc: 2
* prpl-yahoo: 3

My (xnyhps) personal experience is that the Pidgin developers take reported security issues very seriously and often come up with a fix quickly. However, it does sometimes take a while before they release and deploy that fix. I don't have enough experience with Pidgin (the GTK+ UI) to judge its code quality, but I think the quality of libpurple itself is decent. The quality of prpls varies a lot, generally the reverse-engineered protocols are in worse shape than those with open specifications. I think MSN is definitely the worst and auditing it would take more time than the servers will be online for (until March 2014). I think auditing jabber+irc should be doable and would be a good start: IRC is quite small (>5kloc), XMPP (28kloc) has clear specifications and by using UTF-8 and XML it removes a lot of possible buffer overflow and string manipulation vulnerabilities.

DrWhax's personal experience is that Pidgin developers don't always take security issues seriously. In the summer of 2012 I spent a night digging with Jake into the source code and DLL's that they ship and we found out that in 2012, they were shipping vulnerable DLL's with the oldest exploit originating from 2006! It took quite some convincing that this is a serious matter and we had to convince(sigh) the Pidgin folks to update all the DLL's to the latest version. In February 2013, Pidgin finally released a security update which fixed 12 security bugs? I would say, if we would want to go forward with releasing a minimal Pidgin, we should only ship with IRC and XMPP support. 

### Portable

Pidgin provides official instructions on how to run Pidgin from an USB stick: https://developer.pidgin.im/wiki/Using%20Pidgin#RunningWindowsPidginFromaUSBDrivePortableMode.

## Sends all traffic over Tor

libpurple has a proxy setting that will force all traffic to pass through Tor. This disables all SRV lookups, meaning many XMPP servers require manual configuration to work.

UPnP (used for automatic port fowarding and external IP detection) can be disabled globally.

## Can be used with a wide variety of chat networks

libpurple includes support for:
* AIM
* Bonjour
* Gadu-Gadu
* Google Talk
* Groupwise
* ICQ
* IRC
* MSN
* MXit
* MySpaceIM
* SILC
* SIMPLE
* Sametime
* XMPP
* Yahoo!
* Zephyr

Though nearly everyone of these is a separate prpl, so would require its own auditing.

## Uses off-the-record encryption of conversations by default

The Pidgin-OTR plugin can be configured to enable OTR by default. Including this plugin with Pidgin by default is underway.

## Has an easy-to-use graphical user interface localized into Farsi, French, Spanish, and Arabic. 

It has a graphical user interface which a large number of users might already be familiar with.

From https://developer.pidgin.im/l10n/2.x.y/:

* Farsi: 59.77% finished.
* French: 98.95% finished.
* Spanish: 99.31% finished.
* Arabic: 78.02% finished.

This breakdown includes all prpls, so might turn out differently when only including a subset of them.

## Cross-platform support
Pidgin ships binaries for Windows and Linux. By packaging GTK+, it should be possible to package it to run on OSX too, though the UI would be quite confusing to many OSX users.

Another option on OS X is Adium, though this increases the amount of code to be audited by a large factor.

## Integration with Tor

libpurple supports plugins written in C, Tcl, Perl and C# (Mono). These can make changes to the preferences to automate configuring it for Tor. It is also possible to configure Pidgin using D-Bus, but for security reasons it is probably wiser to disable D-Bus support.

So the options to control Tor are:

* A C/Tcl/Perl/C# plugin that launches a Tor process and which sets up Pidgin's preferences accordingly.
* Use Tor Launcher from the TBB to start both Tor and Pidgin. Configuring Pidgin could happen by:
  * Writing to the preference files before starting it.
  * Communicating the preference changes to a simple C/Tcl/Perl/C# plugin.
  * D-Bus. (Unlikely to work on Windows and difficult to secure)

## Pidgin 3.0
Pidgin 3.0.x will be released with OTR support by default, which is awesome, only one codebase has to be maintained in the various Linux distributions and Windows clients! Huzzay! Something i'm less happy with, is that the Pidgin developers started using Webkit for HTML rendering within the client. Webkit doesn't have a very good security history and opens up with another giant security hole. If we would want to release Pidgin inside of TIMBB, I would propose to work on Pidgin 3.0 and not the older 2.x releases.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20131007/bc6f4dcc/attachment.sig>

More information about the tor-dev mailing list