SSL security concern

David Woolley forums at
Mon Oct 14 12:16:18 EDT 2013

On 14/10/13 15:39, Ralf Skyper Kaiser wrote:

> can you clarify this quote from you please:
> "That goes against the general philosophy of open source clients. The
> user should be assumed to be responsible."
> Are you saying that users who use open source clients are assumed to be
> responsible? (and because of that pidgin should have a lousy SSL
> security implementation - because the user knows what he is doing)?

Enforcing local management policy tends to be a low priority in open 
source software.  In the case of certificates, as long as the user is 
told that there is a problem with the certificate, it is generally 
assumed that any choice to ignore the warning is an informed decision. 
Freedom tends to include the freedom to ignore warnings.

Windows, although far from open source, tends to take a similar position 
by default, but does provide features like group policies to allow a 
management lock down. Windows SSL security implementation is also lousy, 
in your terms, because:

- most people who use it think that an https URL is all that is needed 
for security and have no understanding of the need for authentication;

- it enables all sorts of weird CAs with low authentication thresholds, 
along with the class 3 certificates - any one of which will let you in 
without a warning.

Incidentally, I don't know any easy way of giving standard Windows 
applications selective access to root certificates, without giving all 
applications the same restriction.

As a specific example of an area where Pidgin doesn't comply with 
management lock down wants is that every few months people ask how to 
disable all but one service, to which the standard answer, is you can 
disable protocols by removing the plugins, but the end user can just 
re-install them, so the correct solution is block at the firewall.  Of 
course, many people asking for this would want Facebook and Google 
blocked, but are using private XMPP servers, so share a common protocol.

As Ethan says, I'm not a Pidgin developer (my programming work with open 
source is in a different area), but I don't notice much support for 
management lock downs anywhere in Pidgin.

More information about the Support mailing list