MSN authentication

David Woolley forums at david-woolley.me.uk
Sat Nov 6 10:01:10 EDT 2010


Yonatan Amir wrote:
> This recent FireSheep business got me wondering - does Pidgin 
> authenticate the MSN protocol with encryption? I use Pidgin on an 
> unencrypted wireless network at school, and I'm worried about some bored 
> individual capturing my credentials. I couldn't find any information 
> that would be useful to me.

Looking at some slightly dated source code, it seems to use the Windows 
Live ID authentication protocol, which may well be dictated by 
Microsoft. This seems to at least use hashing.  I didn't notice any 
session key negotiation, so I would suspect that is is vulnerable to 
dictionary attacks, so you should choose a strong password.

This is based on looking at the code for not much more than 5 minutes, 
so there might be stronger encryption that I have missed.

-- 
David Woolley
Emails are not formal business letters, whatever businesses may want.
RFC1855 says there should be an address here, but, in a world of spam,
that is no longer good advice, as archive address hiding may not work.



More information about the Support mailing list