[Pidgin] #13428: Accept certificate for api.login.icq.net

Pidgin trac at pidgin.im
Thu Apr 7 04:06:02 EDT 2011


#13428: Accept certificate for api.login.icq.net
--------------------+-------------------------------------------------------
 Reporter:  smitty  |        Owner:  MarkDoliner
     Type:  defect  |       Status:  closed     
Milestone:          |    Component:  ICQ        
  Version:  2.7.10  |   Resolution:  invalid    
 Keywords:          |  
--------------------+-------------------------------------------------------

Comment(by MarkDoliner):

 I don't know why your firewall is doing that.  It's still not clear to me
 what it's doing.  It sounds like it's returning a totally invalid https
 page instead of actually routing traffic to the Internet.  You could try
 opening https://api.login.icq.net/auth/clientLogin in a web browser after
 forcing your modem to reboot and see what it gives you (it SHOULD be an
 error from AOL that looks like
 "statusCode=405&statusText=Method+not+allowed-+POST+method+required").

 Pidgin should absolutely not automatically accept this certificate--that
 would allow for man-in-the-middle attacks and be a security hole.  It's
 possible Pidgin should automatically reject this certificate and not give
 the user an option... but I suspect that would bite us in the ass, for
 example, if AOL installs an invalid cert on their servers, or installs a
 cert signed by a master CA that we don't yet recognize.

 I believe Pidgin is behaving ideally in this situation.

-- 
Ticket URL: <http://developer.pidgin.im/ticket/13428#comment:12>
Pidgin <http://pidgin.im>
Pidgin


More information about the Tracker mailing list