Do you think that using SSL where your client accepts every certificate (the link points to a function that returns a success code unconditionally, the 'real' stuff is disabled by preprocessor directives) is bad?
Whatever the severity (for me this is certainly high), the tone in that bug report is inexcusable.
Edit 2: The bug report has now a proper response, quite relaxed. So it seems this is totally expected - for whatever reasons. I'm still curious why the code is littered with #if 0 fragments for years (dead code belongs in the vcs history for me), but the initial expectation of a total lack of certificate verification is wrong.
The author of this ticket isn't exaggerating when he states that "MITMing this crawling horror would be no more difficult than a plain, unencrypted TCP connection".
Yes, unnecessarily rude and offensive to the developer(s) who wrote it. If he'd just used a more respectful title and removed the last sentence it would have been fine.
No, it wouldn't have been fine. If you find a security bug, you have to follow the reporting procedures. Otherwise you're just making things worse. This should not be in a public ticket.
That aside, I have a hard time seeing that there's any level of rudeness this sort of code doesn't deserve.
In general, lobotomy victims did not choose to have the procedure and have no recourse but to live with the results. This title is rude both to the developers (who we can assume are good intentioned) and to lobotomy victims (who likely had nothing to do with this security issue).
Or, it's just old cruft that is no longer used. As per datallah's response:
"If you don't look carefully, it may appear that the NSS plugin doesn't do any validation of the SSL certificates, but that isn't the case; the validation is done, just not by the SSL_AuthCertificateHook hook."
"If you look at ssl-nss.c#l454, you'll see that before the SSL connection is considered "connected" from libpurple's perspective, ssl_nss_handshake_cb is called to validate the certificate using the libpurple's purple_certificate_verify functionality."
This is why you don't jump to conclusions, throw out an emotional diatribe, and generally make an ass of yourself when writing bug reports.
"If you don't look carefully, it may appear that the NSS plugin doesn't do any validation of the SSL certificates, but that isn't the case; the validation is done, just not by the SSL_AuthCertificateHook hook."
Why isn't libpurple, being a library, licensed under the LGPL, instead of the GPL? If it were, then there would be no problem linking with OpenSSL if I understand things correctly.
This bug report appears to have been written by a lobotomy victim who has had their "communicating with humans" part of the brain removed.</troll>
It makes me so sad to see this kind of attitude. And usually (don't know about this case) it comes from a person who does not contribute to the project.
Not everyone is a cryptographer. Although they should refrain from writing crypto code, calling them "lobotomy victims" makes you sound like one.
24 comments
[ 3.5 ms ] story [ 63.6 ms ] threadDo you think that using SSL where your client accepts every certificate (the link points to a function that returns a success code unconditionally, the 'real' stuff is disabled by preprocessor directives) is bad?
Whatever the severity (for me this is certainly high), the tone in that bug report is inexcusable.
Edit: Well, it seems that code existed like this since its creation, 2003-09-29: http://hg.pidgin.im/pidgin/main/rev/895a5ff9ebd4
Edit 2: The bug report has now a proper response, quite relaxed. So it seems this is totally expected - for whatever reasons. I'm still curious why the code is littered with #if 0 fragments for years (dead code belongs in the vcs history for me), but the initial expectation of a total lack of certificate verification is wrong.
Twitter(!) has the news as it broke/continues to break:
https://twitter.com/0xabad1dea/status/243095210819715072
> .. the most widely used(?) open source IM client library, libpurple?
At the very least, would have been a great place in the code to comment on where (since obviously not there) the cert is supposed to get validated!
That's how bad it is.
That aside, I have a hard time seeing that there's any level of rudeness this sort of code doesn't deserve.
No need for the spluttering outrage and emotional editorial comment by the bug reporter (to say nothing of the ad hominem attacks on the programmer).
"If you don't look carefully, it may appear that the NSS plugin doesn't do any validation of the SSL certificates, but that isn't the case; the validation is done, just not by the SSL_AuthCertificateHook hook."
"If you look at ssl-nss.c#l454, you'll see that before the SSL connection is considered "connected" from libpurple's perspective, ssl_nss_handshake_cb is called to validate the certificate using the libpurple's purple_certificate_verify functionality."
This is why you don't jump to conclusions, throw out an emotional diatribe, and generally make an ass of yourself when writing bug reports.
However, I'll also agree that being rude has some value. It's linked here and on other such sites.
It means they'll have to fix it, but also to be more careful in the future, because being bashed in public is never a fun thing. Unfortunate reality.
It makes me so sad to see this kind of attitude. And usually (don't know about this case) it comes from a person who does not contribute to the project.
Not everyone is a cryptographer. Although they should refrain from writing crypto code, calling them "lobotomy victims" makes you sound like one.