SSL security concern
David Woolley
forums at david-woolley.me.uk
Mon Oct 14 12:16:18 EDT 2013
On 14/10/13 15:39, Ralf Skyper Kaiser wrote:
> can you clarify this quote from you please:
>
> "That goes against the general philosophy of open source clients. The
> user should be assumed to be responsible."
>
> Are you saying that users who use open source clients are assumed to be
> responsible? (and because of that pidgin should have a lousy SSL
> security implementation - because the user knows what he is doing)?
Enforcing local management policy tends to be a low priority in open
source software. In the case of certificates, as long as the user is
told that there is a problem with the certificate, it is generally
assumed that any choice to ignore the warning is an informed decision.
Freedom tends to include the freedom to ignore warnings.
Windows, although far from open source, tends to take a similar position
by default, but does provide features like group policies to allow a
management lock down. Windows SSL security implementation is also lousy,
in your terms, because:
- most people who use it think that an https URL is all that is needed
for security and have no understanding of the need for authentication;
- it enables all sorts of weird CAs with low authentication thresholds,
along with the class 3 certificates - any one of which will let you in
without a warning.
Incidentally, I don't know any easy way of giving standard Windows
applications selective access to root certificates, without giving all
applications the same restriction.
As a specific example of an area where Pidgin doesn't comply with
management lock down wants is that every few months people ask how to
disable all but one service, to which the standard answer, is you can
disable protocols by removing the plugins, but the end user can just
re-install them, so the correct solution is block at the firewall. Of
course, many people asking for this would want Facebook and Google
blocked, but are using private XMPP servers, so share a common protocol.
As Ethan says, I'm not a Pidgin developer (my programming work with open
source is in a different area), but I don't notice much support for
management lock downs anywhere in Pidgin.
More information about the Support
mailing list