Hack: Pidgin-Gtalk Connection Problems - Get Around The Corporate Firewall

I recently wrote a simple answering machine program/plugin for pidgin and someone asked me to port it to 32 bit. So I fired up pidgin within my virtual box installation at work (as I have only a 64 bit machine at home) but couldn’t get it to connect. Tried all sorts of methods found over the net of changing ports etc, set port forwarding in Virtual Box NAT, even switched to using a bridged host interface but still no go. On a whim, installed pidgin in the host, i.e., windows and still the same issue. Hmm, interesting.. But wait, gtalk client works, then what gives.

Well, after a bit of snooping around, discovered that it’s a special funda that my company employs (and probably yours too) to monitor your IM conversations. The server talk.google.com was redirected to another server set up by my company that masquerades as gtalk server and tries to act as a “Man In The Middle” to hijack your connection and listen to everything while you live in the fantasy that since its an “SSL encrypted” connection, everything is secure. However, “fortunately” pidgin refuses to connect here (More details in the end)

But as they say, rules are meant to be bent and broken. Here, is a simple way 3-step procedure to circumvent around this.

  1. Open up your gtalk account settings in pidgin and go to Advanced tab.

  2. Check “Force old port”, uncheck “plaintext auth” and uncheck “Require SSL/TLS”. Also change “Connect port” to 443.

  3. The main part: Go to an online nslookup service and do an nslookup for talk.google.com. Put the IP that you get in place of “talk.google.com” in the settings.

That’s it. Go and chat away. (or if you want to know the reasoning behind this, hit the link below)

More Details:

Skip this if you want, only for the people who are interested, here are some details on why pidgin does not connect in this situation and how you can find out if your company is using this tactic.

  1. How pidgin tries to connect to gtalk servers is that first it makes a connection to talk.google.com and gets and verifies the certificate from there. Then it tries to connect to gmail.com. Now there can be various situations:

  1. Its unable to complete the transaction in the first place because you didn't use the port 443, so firewall blocks it hence it can't communand tries to fallback to plaintext authorization which is not supported by google and hence it fails.

  2. You chose correct settings to go around firewall but now after verifying certificate, it just keeps "connecting". Basically, it passes through the talk.google.com phase and then tries to connect to gmail.com (don't know why) and gets stuck on this step because the company is masquerading the gtalk server but not the gmail server.
  1. Look for the following symptoms to see if your company is doing “something”

  1. Do "nslookup talk.google.com" in your command prompt (not through web), then say you get an IP x.y.z.w. Now do "nslookup x.y.z.w" again in command prompt. Now you will get the real name of the server that is your company's. Can try this for other IM servers as well (e.g. yahoo)

  2. When pidgin asks you to verify the certificate, don't take it lightly. Just fetch and see the certificate and it'll definitely be pointing to some other domain.

Enough fundas for today. Let me know if this helped you out or if you have your own techniques of finding and circumventing around such stuff.

See also