MSN authentication

Yonatan Amir yonatan.amir at
Tue Nov 9 10:32:17 EST 2010

Thanks, David.

On Sat, Nov 6, 2010 at 4:01 PM, David Woolley
<forums at> wrote:
> Yonatan Amir wrote:
>> This recent FireSheep business got me wondering - does Pidgin authenticate
>> the MSN protocol with encryption? I use Pidgin on an unencrypted wireless
>> network at school, and I'm worried about some bored individual capturing my
>> credentials. I couldn't find any information that would be useful to me.
> Looking at some slightly dated source code, it seems to use the Windows Live
> ID authentication protocol, which may well be dictated by Microsoft. This
> seems to at least use hashing.  I didn't notice any session key negotiation,
> so I would suspect that is is vulnerable to dictionary attacks, so you
> should choose a strong password.
> This is based on looking at the code for not much more than 5 minutes, so
> there might be stronger encryption that I have missed.
> --
> David Woolley
> Emails are not formal business letters, whatever businesses may want.
> RFC1855 says there should be an address here, but, in a world of spam,
> that is no longer good advice, as archive address hiding may not work.

More information about the Support mailing list