Pidgin 2.7.3 on Maemo5 - SSL certificates for MSN invalid

Etan Reisner deryni at pidgin.im
Sun Nov 21 12:09:39 EST 2010


On Sun, Nov 21, 2010 at 04:45:34PM +0000, David Woolley wrote:
> Etan Reisner wrote:
>
>>
>> To answer this again: http://developer.pidgin.im/wiki/MSNCertIssue
>
> As this is telling people to do something potentially dangerous, I think it
> should also tell them to check that the issuer and subject on each
> certificate is different, i.e. that they are not being fed a potentially
> bogus root certificate.
>
> It may be safe to fetch the intermediate certificates from an untrusted
> source, but only if they really are only intermediate ones.  At least I
> think that is true, but it is possible that openssl will stop when it finds
> a locally trusted intermediate certificate, in which case they need to
> verify the certificate chain before installing them.
>
> I know that some browsers will accept a locally trusted leaf certificate,
> even though they don't trust the corresponding root.

People don't understand certificates. At all. Which is why they were
perfectly willing to download certificates for the omega server from any
blog/host that happened to have them up. That page is hosted on the
pidgin.im server, the pem files come from the pidgin source, those exact
files will be in the next release of pidgin which people will implicitly
trust when they upgrade, etc.

Any text talking about verifying things is going to complicate and confuse
the situation more than I think it could possibly help though I do
appreciate the thinking that goes into requesting it.

I'm open to adding a note to the bottom explaining the potential dangers
with doing this sort of thing but anything more than that I think would be
too much.

    -Etan



More information about the Support mailing list