MSN authentication

Yonatan Amir yonatan.amir at gmail.com
Tue Nov 9 10:32:17 EST 2010


Thanks, David.

On Sat, Nov 6, 2010 at 4:01 PM, David Woolley
<forums at david-woolley.me.uk> wrote:
> Yonatan Amir wrote:
>>
>> This recent FireSheep business got me wondering - does Pidgin authenticate
>> the MSN protocol with encryption? I use Pidgin on an unencrypted wireless
>> network at school, and I'm worried about some bored individual capturing my
>> credentials. I couldn't find any information that would be useful to me.
>
> Looking at some slightly dated source code, it seems to use the Windows Live
> ID authentication protocol, which may well be dictated by Microsoft. This
> seems to at least use hashing.  I didn't notice any session key negotiation,
> so I would suspect that is is vulnerable to dictionary attacks, so you
> should choose a strong password.
>
> This is based on looking at the code for not much more than 5 minutes, so
> there might be stronger encryption that I have missed.
>
> --
> David Woolley
> Emails are not formal business letters, whatever businesses may want.
> RFC1855 says there should be an address here, but, in a world of spam,
> that is no longer good advice, as archive address hiding may not work.
>



More information about the Support mailing list