Re: CVE request: xchat/hexchat don't properly verify SSL certificates

[Kurt Seifried <kseifried () redhat com>]

On 30/01/15 02:56 AM, Michael Samuel wrote:
> On 30 January 2015 at 06:24, Sam Dodrill <shadow.h511 () gmail com> wrote:
> > A lot of the time IRC networks will not pay for a verified SSL cert due to
> > the fact that the kind of SSL cert they would need (a wildcard one) is
> > financially prohibitive. I don't think this is a security bug with hexchat
> > more a symptom of the fact that SSL combines encryption and identity
> > verification where sometimes people only want the former.
>
> The correct response to this is for them to publish their self-signed
> certificate (or even a CA certificate) and have it pasted into the
> client, along with the configuration.

Sorry what? A DV (Domain Validated) wildcard cert is now 80-90$ a year
from many providers (google "cheap ssl"). SSL certs are no longer
expensive and have not been for many years.

> The client could then perform a byte-wise compare of the public key.
>
> I assume well-known networks could have their certificates hard-coded
> into the client.

No. Just no. You put root certs on the client side, not the actual
server certs. Google "crypto agility" and so on.

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Attachment: signature.asc
Description: OpenPGP digital signature