SSL security concern

Ethan Blanton elb at
Mon Oct 14 10:47:20 EDT 2013

Ralf Skyper Kaiser spake unto us the following wisdom:
> can you clarify this quote from you please:
> "That goes against the general philosophy of open source clients. The user
> should be assumed to be responsible."
> Are you saying that users who use open source clients are assumed to be
> responsible? (and because of that pidgin should have a lousy SSL security
> implementation - because the user knows what he is doing)?

Note that David is not a Pidgin developer, and this opinion is his
own.  It is either a common attitude for Open Source software or a
common misconception regarding open source software, depending on your
perspective.  I view it as the latter.  There's no "philosophy" of
open source that says it has to suck in case the user wants it to.

That said, in this particular instance, we do not have a
straightforward option for accomplishing what you're asking for, and I
doubt we will soon provide one.  It is unfortunately quite common for
users to *need* to accept certificates with untrusted chains,
mismatched domains, expired signatures, etc.  We do not currently
provide an option for default disposition (either to confirm or
reject) of such a situation, we require the user to handle it


More information about the Support mailing list