oss-sec mailing list archives
Re: CVE request: xchat/hexchat don't properly verify SSL certificates
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 30 Jan 2015 07:15:42 -0700
On 30/01/15 02:56 AM, Michael Samuel wrote:
On 30 January 2015 at 06:24, Sam Dodrill <shadow.h511 () gmail com> wrote:A lot of the time IRC networks will not pay for a verified SSL cert due to the fact that the kind of SSL cert they would need (a wildcard one) is financially prohibitive. I don't think this is a security bug with hexchat more a symptom of the fact that SSL combines encryption and identity verification where sometimes people only want the former.The correct response to this is for them to publish their self-signed certificate (or even a CA certificate) and have it pasted into the client, along with the configuration.
Sorry what? A DV (Domain Validated) wildcard cert is now 80-90$ a year from many providers (google "cheap ssl"). SSL certs are no longer expensive and have not been for many years.
The client could then perform a byte-wise compare of the public key. I assume well-known networks could have their certificates hard-coded into the client.
No. Just no. You put root certs on the client side, not the actual server certs. Google "crypto agility" and so on. -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE request: xchat/hexchat don't properly verify SSL certificates Vincent Danen (Jan 29)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Marc Deslauriers (Jan 29)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Sam Dodrill (Jan 29)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Reed Loden (Jan 29)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Daniel Kahn Gillmor (Jan 29)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Michael Samuel (Jan 30)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Kurt Seifried (Jan 30)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates TingPing (Jan 30)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Sam Dodrill (Jan 29)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Marc Deslauriers (Jan 29)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Sven Schwedas (Jan 30)