[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Weechat-dev] [bug #24947] SSL/TLS support works, but no support for ver
|
From: |
Gary D. Huffman, II |
|
Subject: |
[Weechat-dev] [bug #24947] SSL/TLS support works, but no support for verification of server certificates |
|
Date: |
Wed, 26 Nov 2008 20:08:36 +0000 |
|
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008111922 GranParadiso/3.0.4 |
URL:
<http://savannah.nongnu.org/bugs/?24947>
Summary: SSL/TLS support works, but no support for
verification of server certificates
Project: Wee Enhanced Environment for Chat
Submitted by: gdhuffman
Submitted on: Wed 26 Nov 2008 03:08:35 PM EST
Category: other
Severity: 3 - Normal
Item Group: other
Status: None
Privacy: Public
Assigned to: None
Originator Name:
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Release: 0.2.6
IRC nick:
_______________________________________________________
Details:
More and more IRC servers are supporting SSL/TLS every day. I'm pleased to
see more people taking an interest in their privacy and security. It is
important to keep in mind how easily a man in the middle attack can take
place, and therefore circumvent the entire purpose of the encrypted session.
As WeeChat is truly the geekiest IRC client; it seems appropriate that it
have the most robust handling of encrypted sessions. Since many networks use
a combination of round-robin DNS and self-signed certificates, I propose the
following logic:
Best case is the certificate is signed by a trusted CA. If so, verify the
certificate, display the trusted CA name and encrypted session statistics
(public/symmetric key type and bit sizes), and continue connecting.
Typical case is the certificate is self-signed, and will vary depending on
which server in the round-robin DNS the client lands on. In this case,
display the encrypted session statistics (this time including the key
fingerprints as well), and present the user with the option to continue for
this session only, or to store the server certificate permanently.
Possibly add an option (for the truly paranoid/security minded) to ignore the
OS's list of trusted CAs, so they can always verify key fingerprints manually.
Maybe even later down the road, permit the encrypted storage of trusted key
fingerprints (via keyring managers, etc).
Sorry if you guys don't consider this a bug, but I certainly consider it more
of a bug than a feature request. I saw a feature request for something similar
a year or so ago, but as far as I can tell no progress has been made. I would
like this to be prioritized -- the net is an increasingly hostile environment.
Thanks guys. Keep up the good work! :)
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?24947>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Weechat-dev] [bug #24947] SSL/TLS support works, but no support for verification of server certificates,
Gary D. Huffman, II <=