SSL security concern
David Woolley
forums at david-woolley.me.uk
Mon Oct 14 13:17:47 EDT 2013
On 14/10/13 17:33, Ralf Skyper Kaiser wrote:
> I agree, 1 of the 7 Security features is already possible with pidgin
> but requires source code recompilation. That's does not fly for most
> users (especially the windows users).
As far as I know, the Windows build is unable to use the system
certificate store, so already uses one private to libpurple, but
pre-populates it. You could simply clear it out. It is only on modern
Linux systems where it is likely to share a certificate store, and those
are the ones where compiling from source is likely to be easiest. (A
packager could, fairly easily, point the certificate store at a symlink,
which defaults to the system store, in those cases.)
It looks like Debian also uses a private directory for the certificates
(/usr/share/purple/ca-certs/), and doesn't even install all that come
with Pidgin.
>
> Pidgin should be secure by default or - if Pidgin insists that it has to
> be insecure by default - at least the possibility for the user to use it
> securely. Without having to recompile from source (and cross platform).
You just have to look at the typical question on this list to realise
that a secure by default Pidgin would be unusable to a large number of
Pidgin users - if you cannot make a usable support request, you are
unlikely to understand how to source and install certificates securely.
There tends to be high support costs in making mass market software
secure by default. (As I already noted, Windows seems to let almost
every Tom, Dick or Harry to act as CAs by default, because starting with
only class 3 certificates would cause too many support problems.)
If anything, making it "secure by default", if it doesn't scare off new
users completely, is likely to result in lots of cook book solutions on
how to get it to trust certificates without going through the proper
processes to verify those certificates, thus teaching people bad
security practices.
If Windows set all but class 3 CAs to disabled by default, I suspect the
standard internet cook book solution would be simply to go into the
certificate manager and enable them, whenever you got blocked.
Whist making the directory a run time parameter would, probably, be a
small change, you would then have to lock down the configuration file.
Having to explicitly add trusted certificates won't fly with most end users.
More information about the Support
mailing list