Re: CVE request: xchat/hexchat don't properly verify SSL certificates

[TingPing <tingping () tingping se>]

If anybody cares, HexChats plan is to support cert-pinning so users can
still trust self-signed certs. Eitherway this has little to do with
validating hostnames, especially self-signed certs should always have
matching hostnames.

On Fri, Jan 30, 2015 at 9:15 AM, Kurt Seifried <kseifried () redhat com> wrote:

> On 30/01/15 02:56 AM, Michael Samuel wrote:
> > On 30 January 2015 at 06:24, Sam Dodrill <shadow.h511 () gmail com> wrote:
> > > A lot of the time IRC networks will not pay for a verified SSL cert due
> to
> > > the fact that the kind of SSL cert they would need (a wildcard one) is
> > > financially prohibitive. I don't think this is a security bug with
> hexchat
> > > more a symptom of the fact that SSL combines encryption and identity
> > > verification where sometimes people only want the former.
> >
> > The correct response to this is for them to publish their self-signed
> > certificate (or even a CA certificate) and have it pasted into the
> > client, along with the configuration.
>
> Sorry what? A DV (Domain Validated) wildcard cert is now 80-90$ a year
> from many providers (google "cheap ssl"). SSL certs are no longer
> expensive and have not been for many years.
>
> > The client could then perform a byte-wise compare of the public key.
> >
> > I assume well-known networks could have their certificates hard-coded
> > into the client.
>
> No. Just no. You put root certs on the client side, not the actual
> server certs. Google "crypto agility" and so on.
>
> --
> Kurt Seifried -- Red Hat -- Product Security -- Cloud
> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993