[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Weechat-dev] [bug #24947] SSL/TLS support works, but no support for ver

From: Gary D. Huffman, II
Subject: [Weechat-dev] [bug #24947] SSL/TLS support works, but no support for verification of server certificates
Date: Wed, 26 Nov 2008 20:08:36 +0000
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/2008111922 GranParadiso/3.0.4


                 Summary: SSL/TLS support works, but no support for
verification of server certificates
                 Project: Wee Enhanced Environment for Chat
            Submitted by: gdhuffman
            Submitted on: Wed 26 Nov 2008 03:08:35 PM EST
                Category: other
                Severity: 3 - Normal
              Item Group: other
                  Status: None
                 Privacy: Public
             Assigned to: None
         Originator Name: 
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
                 Release: 0.2.6
                IRC nick: 



More and more IRC servers are supporting SSL/TLS every day.  I'm pleased to
see more people taking an interest in their privacy and security.  It is
important to keep in mind how easily a man in the middle attack can take
place, and therefore circumvent the entire purpose of the encrypted session.

As WeeChat is truly the geekiest IRC client; it seems appropriate that it
have the most robust handling of encrypted sessions.  Since many networks use
a combination of round-robin DNS and self-signed certificates, I propose the
following logic:

Best case is the certificate is signed by a trusted CA.  If so, verify the
certificate, display the trusted CA name and encrypted session statistics
(public/symmetric key type and bit sizes), and continue connecting.

Typical case is the certificate is self-signed, and will vary depending on
which server in the round-robin DNS the client lands on.  In this case,
display the encrypted session statistics (this time including the key
fingerprints as well), and present the user with the option to continue for
this session only, or to store the server certificate permanently.

Possibly add an option (for the truly paranoid/security minded) to ignore the
OS's list of trusted CAs, so they can always verify key fingerprints manually.
 Maybe even later down the road, permit the encrypted storage of trusted key
fingerprints (via keyring managers, etc).

Sorry if you guys don't consider this a bug, but I certainly consider it more
of a bug than a feature request. I saw a feature request for something similar
a year or so ago, but as far as I can tell no progress has been made. I would
like this to be prioritized -- the net is an increasingly hostile environment.
Thanks guys. Keep up the good work! :)


Reply to this item at:


  Message sent via/by Savannah

reply via email to

[Prev in Thread] Current Thread [Next in Thread]