Disabling SSLv3 for 2.10.10?

Mark Doliner mark at kingant.net
Thu Oct 16 14:26:45 EDT 2014


Is POODLE a problem for us? I got the impression that it's not. It
seems like it's an information leak that is only possible if the
attacker can cause Pidgin to send many slightly different SSL/TLS
requests. For browsers this happens if an active MITM injects
javascript into an http response and the malicious javascript makes
many custom https requests. I can't think of a scenario for how that
might happen within Pidgin.

I agree that it would be nice to disable SSLv3 (or give people the
ability to do it via a hidden pref)(FYI I disabled it for GnuTLS in
default), but I'm worried about making this change immediately before
releasing.


More information about the security mailing list