[Pidgin] #3381: XMPP TLS and (old) SSL man-in-the-middle attack
Pidgin
trac at pidgin.im
Sat Nov 3 17:47:43 EDT 2007
#3381: XMPP TLS and (old) SSL man-in-the-middle attack
-------------------------+--------------------------------------------------
Reporter: bluefoxicy | Owner: wehlhard
Type: defect | Status: new
Priority: minor | Milestone:
Component: XMPP | Version: 2.2.0
Resolution: | Keywords:
Pending: 0 |
-------------------------+--------------------------------------------------
Comment (by wehlhard):
Solving this was a goal of my Summer of Code work this summer. If you are
using the GnuTLS SSL plugin, most of the concerns you raise should be
addressed in current versions of Pidgin.
If a cached certificate changes, Pidgin should alert the user on the
severity of the change. If the actual public key does not change, but the
common name, CA, or self signed status does (i.e. if a self-signed gets CA
signed), then it should inform the user of this; else it should inform the
user that the entire certificate has changed. It can also inform the user
that a simple self-signed to CA-signed transition makes the certificate
more trustworthy, as long as the CN of the certificate matches the name of
the server Pidgen connected to.
The current behavior is that Pidgin simply rejects the certificate
outright; I was planning to change this behavior to have it instead
recheck the certificate with the same logic as that used to authenticate
the certificate the first time.
I appreciate your testing of the SSL code; it has lately undergone some
significant revision and needs testing.
--
Ticket URL: <http://developer.pidgin.im/ticket/3381#comment:2>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list