lovetoxin Gajim you can trust a self signed cert that a server offers
lovetoxwhat Gajim does is, it adds it to a kind of cert store (not the system one)
lovetoxand later if it gets UNKNOWN_CA, it just checks the store if the user trusts this cert
lovetoxnow if someone knows i trust a specific self signed cert, could the creator of that cert impersonate another server?
lovetoxi think no, because changing stuff like domain within the cert, would change the fingerprint of the cert, and then the certs are not equal anymore, hence new trust decision
lovetoxis this correct?
ZashIs that trust store per account or 'global'?
lovetoxglobal
lovetoxbasically a server offers a cert, and i get the fingerprint and look if there is a cert with that fingerprint in the trust store
lovetoxquestion is, changing the domain a cert is valid for, changes the fingerprint
lovetoxor not?
Zashthe fingerprint for the entire cert would cover the entire cert
Zashincluding all the names
Zashit sounds like it may be possible for such a server to impersonate another server you have an account on, if you connect there somehow?
Zashdo you verify the names in self-signed certs tho?
lovetoxno, thats just one step in the verify process
lovetoxof course i let the ssl lib first verify the cert normally
lovetoxafterwards it offers me errors
lovetoxlike UNKNOWN_CA
lovetoxif UNKNOWN_CA is the *only* error on the cert
lovetoxi check the trust store
Zashin prosody there are no name checks if the CA is untrusted, I don't know how your code works
pulkomandyhas left
lovetoxof course if htere are other errors like, BAD_IDENTITY or other stuff
pulkomandyhas joined
lovetoxthis is shown to the user
Yagizаhas left
Yagizаhas joined
lovetoxhence if the someone manipulates the trusted cert, so it links to another domain, to circumvent a BAD_IDENTITY error
lovetoxit would change the fingerprint of the cert
lovetoxhence Gajim would not find it anymore in the trust store
lovetoxand raise UNKNOWN_CA
ZashYou know, since this is security related, it might be best to quietly test whether it's exploitable before talking about it in public :)
test2has left
test2has joined
lovetoxi dont think this is exploitable, and even if, nobody is forced to accept self signed certs
lovetoxbut i wouldnt know how otherwise i can support self signed certs
lovetoxwithout presenting the user on every connect with a cert error dialog
ZashWhat happens if the server later switches to a CA-issued cert?
ZashIMO it would make sense to have such trust decisions be saved per account, just to be sure.
lovetoxits verified ok and user is not notified about it
lovetoxyes Zash thats what i was thining about
lovetoxi have no concrete reason, but if feels a bit better
pulkomandyhas left
pulkomandyhas joined
ZashSome users would probably want a warning if the certificate changed from a self-signed to a CA-issued one.
ZashDepending on why a self-signed cert was in used at all.
ZashIf it's just a temporary cert until a CA issued one can be gotten, then it probably doesn't matter.
ZashIf it's someone who doesn't trust CAs at all running the server, then it'd be suspicious if it suddenly had a CA-issued one.
Yagizаhas left
lovetoxyeah probably right
lovetoxbut i dont care about that one guy that wants that thing