Request for CVEs for Pidgin

Ethan Blanton elb at pidgin.im
Fri Oct 17 14:12:20 EDT 2014


Daniel Atallah spake unto us the following wisdom:
> > Out of curiosity, why do this problem exist in the Pidgin code?  Does
> > it re-implement certificate checks rather than using implementations in
> > NSS or GnuTLS?  This is something that SSL libs should implement, and
> > they should not do these mistake these days.
> 
> Yes, the cause of problem is that the pidgin code uses internal certificate
> validation instead of using the one in the SSL libraries.

To clarify further, this is due to two causes:

  1) Mistaken design decisions in libpurple during SSL integration
  2) (Sometimes severe) limitations in the cryptographic libraries at
     the time that the Pidgin SSL API was developed.

As Daniel notes, we've been freed from the SSL library constraints by
the passage of time and further development, we've learned a lot about
improving early design decisions within libpurple, and the 3.0 release
will free us from API restrictions that prevent fully correcting the
problem in the 2.x series.

We would welcome any input on the 3.x architecture as it relates to
security and cryptographic practices.

Ethan


More information about the security mailing list