[Pidgin] #16323: Fingerprint based SSL certificate approval
Pidgin
trac at pidgin.im
Wed Aug 20 01:04:19 EDT 2014
#16323: Fingerprint based SSL certificate approval
-------------------------+-------------------------------------------------
Reporter: cyisfor | Owner:
Type: enhancement | Status: new
Milestone: | Component: libpurple
Version: 3.0.0hg | Keywords: ssl, certificate, fingerprint,
| security, server, authentication
-------------------------+-------------------------------------------------
Many IRC networks have round robin DNS, and each server has a different
certificate, resulting in each approval of a certificate overwriting the
previous approval in pidgin. If connecting to 2 different servers in
alternating order, it will overwrite the certificate for the previous one
every time, making you need to "Allow" a certificate every single time you
connect.
So I made a simple form of approving certificates by fingerprint. Tested
on my computer, works fine no segfaults, no double frees, valgrind is
happy (with MY code at least).
This is very important, because every server certificate pidgin overwrites
is one more opportunity for a man-in-the-middle. Once all servers on the
network have Allowed certificate fingerprints, it won't ask again, yet no
third party can bypass the security.
This might not be limited to IRC, but I don't think for instance jabber
chat is capable of having multiple servers on the same chat network. The
protocol sure, but I don't think it's implemented.
--
Ticket URL: <https://developer.pidgin.im/ticket/16323>
Pidgin <https://pidgin.im>
Pidgin
More information about the Tracker
mailing list