SSL security concern
Ethan Blanton
elb at pidgin.im
Mon Oct 14 10:47:20 EDT 2013
Ralf Skyper Kaiser spake unto us the following wisdom:
> can you clarify this quote from you please:
>
> "That goes against the general philosophy of open source clients. The user
> should be assumed to be responsible."
>
> Are you saying that users who use open source clients are assumed to be
> responsible? (and because of that pidgin should have a lousy SSL security
> implementation - because the user knows what he is doing)?
Note that David is not a Pidgin developer, and this opinion is his
own. It is either a common attitude for Open Source software or a
common misconception regarding open source software, depending on your
perspective. I view it as the latter. There's no "philosophy" of
open source that says it has to suck in case the user wants it to.
That said, in this particular instance, we do not have a
straightforward option for accomplishing what you're asking for, and I
doubt we will soon provide one. It is unfortunately quite common for
users to *need* to accept certificates with untrusted chains,
mismatched domains, expired signatures, etc. We do not currently
provide an option for default disposition (either to confirm or
reject) of such a situation, we require the user to handle it
manually.
Ethan
More information about the Support
mailing list