Dnia 2013-06-02, nie o godzinie 19:02 +0530, Radhesh Krishnan K pisze:
> I would like to report a security bug in libgadu.  libgadu is using
> openSSL library for creating secure connections.
> (...)
> So the product using libgadu will be vulnerable to  man-in-the-middle
> attack.

It was rather a conscious decision. Since libgadu is a
reverse-engineered implementation of a proprietary protocol, we have no
control over the certificates used for SSL connections. We don't know
which certificates will be accepted or rejected by the original client,
so there is no reliable way to verify their validity in libgadu. But
since you mentioned it, I guess we should at least add a note to the
documentation.

Regards,
Wojtek


_______________________________________________
libgadu-devel mailing list
libgadu-devel@lists.ziew.org
http://lists.ziew.org/mailman/listinfo/libgadu-devel

Reply via email to