[Pidgin] #13428: Accept certificate for api.login.icq.net
Pidgin
trac at pidgin.im
Thu Apr 7 04:06:02 EDT 2011
#13428: Accept certificate for api.login.icq.net
--------------------+-------------------------------------------------------
Reporter: smitty | Owner: MarkDoliner
Type: defect | Status: closed
Milestone: | Component: ICQ
Version: 2.7.10 | Resolution: invalid
Keywords: |
--------------------+-------------------------------------------------------
Comment(by MarkDoliner):
I don't know why your firewall is doing that. It's still not clear to me
what it's doing. It sounds like it's returning a totally invalid https
page instead of actually routing traffic to the Internet. You could try
opening https://api.login.icq.net/auth/clientLogin in a web browser after
forcing your modem to reboot and see what it gives you (it SHOULD be an
error from AOL that looks like
"statusCode=405&statusText=Method+not+allowed-+POST+method+required").
Pidgin should absolutely not automatically accept this certificate--that
would allow for man-in-the-middle attacks and be a security hole. It's
possible Pidgin should automatically reject this certificate and not give
the user an option... but I suspect that would bite us in the ass, for
example, if AOL installs an invalid cert on their servers, or installs a
cert signed by a master CA that we don't yet recognize.
I believe Pidgin is behaving ideally in this situation.
--
Ticket URL: <http://developer.pidgin.im/ticket/13428#comment:12>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list