[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: xchat/hexchat don't properly verify SSL certificates
From:       TingPing <tingping () tingping ! se>
Date:       2015-01-30 19:27:24
Message-ID: CAJYVuzm_e6sLuQmxX2OXxgVg0z=YS-A6PMvu4UT1N5ULycbwCw () mail ! gmail ! com
[Download RAW message or body]


If anybody cares, HexChats plan is to support cert-pinning so users can
still trust self-signed certs. Eitherway this has little to do with
validating hostnames, especially self-signed certs should always have
matching hostnames.

On Fri, Jan 30, 2015 at 9:15 AM, Kurt Seifried <kseifried@redhat.com> wrote:

> On 30/01/15 02:56 AM, Michael Samuel wrote:
> > On 30 January 2015 at 06:24, Sam Dodrill <shadow.h511@gmail.com> wrote:
> >> A lot of the time IRC networks will not pay for a verified SSL cert due
> to
> >> the fact that the kind of SSL cert they would need (a wildcard one) is
> >> financially prohibitive. I don't think this is a security bug with
> hexchat
> >> more a symptom of the fact that SSL combines encryption and identity
> >> verification where sometimes people only want the former.
> >
> > The correct response to this is for them to publish their self-signed
> > certificate (or even a CA certificate) and have it pasted into the
> > client, along with the configuration.
>
> Sorry what? A DV (Domain Validated) wildcard cert is now 80-90$ a year
> from many providers (google "cheap ssl"). SSL certs are no longer
> expensive and have not been for many years.
>
> > The client could then perform a byte-wise compare of the public key.
> >
> > I assume well-known networks could have their certificates hard-coded
> > into the client.
>
> No. Just no. You put root certs on the client side, not the actual
> server certs. Google "crypto agility" and so on.
>
> --
> Kurt Seifried -- Red Hat -- Product Security -- Cloud
> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>
>


[prev in list] [next in list] [prev in thread] [next in thread]