oss-sec mailing list archives
Re: CVE request: xchat/hexchat don't properly verify SSL certificates
From: Michael Samuel <mik () miknet net>
Date: Fri, 30 Jan 2015 20:56:19 +1100
On 30 January 2015 at 06:24, Sam Dodrill <shadow.h511 () gmail com> wrote:
A lot of the time IRC networks will not pay for a verified SSL cert due to the fact that the kind of SSL cert they would need (a wildcard one) is financially prohibitive. I don't think this is a security bug with hexchat more a symptom of the fact that SSL combines encryption and identity verification where sometimes people only want the former.
The correct response to this is for them to publish their self-signed certificate (or even a CA certificate) and have it pasted into the client, along with the configuration. The client could then perform a byte-wise compare of the public key. I assume well-known networks could have their certificates hard-coded into the client.
Current thread:
- CVE request: xchat/hexchat don't properly verify SSL certificates Vincent Danen (Jan 29)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Marc Deslauriers (Jan 29)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Sam Dodrill (Jan 29)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Reed Loden (Jan 29)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Daniel Kahn Gillmor (Jan 29)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Michael Samuel (Jan 30)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Kurt Seifried (Jan 30)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates TingPing (Jan 30)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Sam Dodrill (Jan 29)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Marc Deslauriers (Jan 29)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Sven Schwedas (Jan 30)