TLS Handler and stable release
David Edmundson
david at davidedmundson.co.uk
Fri Feb 8 15:04:27 UTC 2013
On Fri, Feb 8, 2013 at 2:55 PM, Daniele E. Domenichelli <
daniele.domenichelli at gmail.com> wrote:
> Hello,
>
> As you probably already know Dan finally implemented the TLS handler,
> and shipped it in master.
>
> The lack of a TLS handler in 0.5 is in my opinion a quite big security
> bug, because in order to connect to a server with a self signed or
> expired certificate you have to disable ssl error checks, and therefore
> user is completely unprotected from man in the middle and similar attacks.
>
This is *not true*.
If we don't have a handler MC checks the certificate itself. If it's valid
it goes through, if it's invalid the channel is rejected.
The problems are:
- it uses the system certs, not KDE cert rules
- If it's wrong we can't prompt the user.
To test this, simply connect to a local prosody server without ticking
"ignore ssl errors", it blocks the connection
I think it is quite important to ship the TLS handler in the next 0.5
> series releases, for the distros that ship kde telepathy 0.5 and won't
> update to 0.6 when it is ready.
> Nonetheless there are (at least) 2 problems in this:
>
> 1) The TLS handler dialogs introduce new i18n strings, that will need to
> be translated (this might be a problem for translators).
> 2) The TLS handler introduces new dependencies (this might be a problem
> for packagers).
> What is your opinion? Should we just ignore this problem?
>
>
I don't want to replace this with a system that we've only had for a few
days and isn't as well tested as what's in MC.
Whilst Dan's new handler is _frickin' awesome_ I think the new build dep is
a serious problem, and I don't want to go round saying we had a security
flaw, when we don't.
David
> Cheers,
> Daniele
> _______________________________________________
> KDE-Telepathy mailing list
> KDE-Telepathy at kde.org
> https://mail.kde.org/mailman/listinfo/kde-telepathy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-telepathy/attachments/20130208/42f44ea4/attachment.html>
More information about the KDE-Telepathy
mailing list