SSL security concern
Ralf Skyper Kaiser
skyper at thc.org
Mon Oct 14 14:25:21 EDT 2013
So ... we already implement a large portion of this list, either
> explicitly or implicitly. To wit:
> > For Jitsi/Pidgin/Jabber this would mean:
> > 1. Do not allow non-private chats
> I don't know what this means.
...if OTR plugin is available then do not allow non-encrypted private
> 4. Feature to select CAfile storage location
> This is already provided, as a compile-time option.
This is not feasible to the average user. (point taken, developers know how
to use pidgin securely. everyone else should go to hell?)
> > 5. Force client to disable logging
> This is not an "option", but can easily be achieved by marking
> ~/.purple/logs unwriteable by the user.
Option should be available cross-platform and without OS specific hacks.
> > 6. Inform server that user is using lockdown (so that server can
> > all clients which do not).
> This is not useful, as a client can readily lie.
This is not the point. The client can also circumvent your no-logging idea
by putting up a camera and filming his screen.
The point is that it takes reasonable effort and prevents _accidental_
> > 7. Once lockdown option is enabled the user should not be able to
> > any of the above options until lockdown is disabled again (e.g. gray
> > the option). Disconnect when lockdown option changes and reconnect to
> > servers.
> I don't see what this buys. We're unlikely to implement it.
Prevents accidental misconfiguration by the user. A server rule could
create a rule to only let clients connect that are in lockdown. This would
ensure against these accidental misconfigurations:
1. User has logging disabled
2. User is authenticating against server supplied/server-trusted cert (and
not one of the 600+ CA's out there)
3. User can not send unencrypted private messages
It prevents accidental client misconfiguration which form the majority of
all security problems.
This is a disingenuous and misplaced statement. I assume you're
> trying to bribe egos. However, a) Pidgin is already used by many
> millions of users, b) the "much larger user base" is a small fraction
> of those millions consisting of (for example) certain financial
> companies, a small number of privacy-concerned tech-savvy individuals,
I think there is a use case for such a feature. There is currently no easy
to use and secure IM client on the market.
History (last 2-3 years, and recent PRISM leaks) have shown that
governments (and I'm not just talking about the US here) are intercepting
SSL traffic on a massive scale (see the DigiNotar-Iran incident, The
Blackberry-Etisalar incident, the PRISM case, ...etc etc etc).
This has been made possible because of lax security implementation - not
just in pidgin but across the board.
Firefox and Chrome are now on the forefront for implementing stricter SSL
security (including certificate pinning, HSTS and exclusive CA locations).
David: Saying that this is not required reminds me of a discussion in the
80s when the car manufactures said that Airbags are not required ("That
cars have a break and that people should drive responsibly. Only a small
ruthless-driving group of people would benefit.").
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Support