SSL security concern

Ralf Skyper Kaiser skyper at thc.org
Mon Oct 14 10:39:38 EDT 2013 

David,

can you clarify this quote from you please:

"That goes against the general philosophy of open source clients. The user
should be assumed to be responsible."

Are you saying that users who use open source clients are assumed to be
responsible? (and because of that pidgin should have a lousy SSL security
implementation - because the user knows what he is doing)?

regards,

skyper



On Sun, Sep 22, 2013 at 11:39 PM, David Woolley
<forums at david-woolley.me.uk>wrote:

> On 22/09/13 21:26, skyper wrote:
>
>>
>> 1. Which ROOT CA storage does pidgin use to authenticate a server side
>> SSL certificate?
>>
>
> See ./configure --help.  At a quick scan, it looks like it uses its own
> set of root certificates by default.  The default will depend on the OS, at
> least to some extent.  On Debian, it looks like the default is
> /usr/share/purple/ca-certs.
>
> If you didn't compile it yourself, the choices made by the packager may
> differ from the build system defaults.
>
>
>
>> 2. How can I configure pidgin to use one (and just one; exclusive) ROOT
>> CA storage (or single certificate) and ignore all other system-wide root
>> certs without having to recompile the source?
>>
>
> On that reading.  If it has been compiled to use its own certificates,
> delete the other certificates.  Again, on the above reading, this will be a
> global change for all libpurple clients. If it has been compiled to use a
> system directory, your caveat cannot be met.
>
>
>
>> 3. How can I harden pidgin to fail connecting to the jabber server if
>> SSL trust can not be established? I do not want to see any warning that
>> the SSL cert can not be authenticated or the user being asked if he
>> trusts the certificate manually.
>>
>
> That goes against the general philosophy of open source clients, that the
> user should be assumed to be responsible.  My guess is that this not only
> requires recompiling, but also requires source code changes.
>
> Please note I'm not an expert on this.  I'm just going on a very quick
> scan of the configure script, and the general design philosophy of open
> source client software.
>
>
> ______________________________**_________________
> Support at pidgin.im mailing list
> Want to unsubscribe?  Use this link:
> http://pidgin.im/cgi-bin/**mailman/listinfo/support<http://pidgin.im/cgi-bin/mailman/listinfo/support>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/pipermail/support/attachments/20131014/2603954f/attachment.html>

More information about the Support mailing list