SSL security concern

David Woolley forums at david-woolley.me.uk
Mon Oct 14 13:17:47 EDT 2013 

On 14/10/13 17:33, Ralf Skyper Kaiser wrote:

> I agree, 1 of the 7 Security features is already possible with pidgin
> but requires source code recompilation. That's does not fly for most
> users (especially the windows users).

As far as I know, the Windows build is unable to use the system 
certificate store, so already uses one private to libpurple, but 
pre-populates it.  You could simply clear it out.  It is only on modern 
Linux systems where it is likely to share a certificate store, and those 
are the ones where compiling from source is likely to be easiest.  (A 
packager could, fairly easily, point the certificate store at a symlink, 
which defaults to the system store, in those cases.)

It looks like Debian also uses a private directory for the certificates 
(/usr/share/purple/ca-certs/), and doesn't even install all that come 
with Pidgin.

>
> Pidgin should be secure by default or - if Pidgin insists that it has to
> be insecure by default - at least the possibility for the user to use it
> securely. Without having to recompile from source (and cross platform).

You just have to look at the typical question on this list to realise 
that a secure by default Pidgin would be unusable to a large number of 
Pidgin users - if you cannot make a usable support request, you are 
unlikely to understand how to source and install certificates securely. 
  There tends to be high support costs in making mass market software 
secure by default.  (As I already noted, Windows seems to let almost 
every Tom, Dick or Harry to act as CAs by default, because starting with 
only class 3 certificates would cause too many support problems.)

If anything, making it "secure by default", if it doesn't scare off new 
users completely, is likely to result in lots of cook book solutions on 
how to get it to trust certificates without going through the proper 
processes to verify those certificates, thus teaching people bad 
security practices.

If Windows set all but class 3 CAs to disabled by default, I suspect the 
standard internet cook book solution would be simply to go into the 
certificate manager and enable them, whenever you got blocked.

Whist making the directory a run time parameter would, probably, be a 
small change, you would then have to lock down the configuration file.

Having to explicitly add trusted certificates won't fly with most end users.

More information about the Support mailing list