oss-sec mailing list archives
Re: CVE request: xchat/hexchat don't properly verify SSL certificates
From: Daniel Kahn Gillmor <dkg () fifthhorseman net>
Date: Thu, 29 Jan 2015 18:42:47 -0500
On Thu 2015-01-29 18:04:52 -0500, Reed Loden wrote:
You're welcome to check the "Accept invalid SSL certificates" box in that case, but the default should be that SSL/TLS certificates are correctly validated. :)
Agreed. This is 2015. The default stance for any network-facing tool that claims to use TLS should be to validate certificates. Anything less is a vulnerability, and should be treated as such. --dkg
Attachment:
signature.asc
Description:
Current thread:
- CVE request: xchat/hexchat don't properly verify SSL certificates Vincent Danen (Jan 29)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Marc Deslauriers (Jan 29)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Sam Dodrill (Jan 29)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Reed Loden (Jan 29)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Daniel Kahn Gillmor (Jan 29)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Michael Samuel (Jan 30)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Kurt Seifried (Jan 30)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates TingPing (Jan 30)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Sam Dodrill (Jan 29)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Marc Deslauriers (Jan 29)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Sven Schwedas (Jan 30)