Dnia 2013-06-02, nie o godzinie 19:02 +0530, Radhesh Krishnan K pisze: > I would like to report a security bug in libgadu. libgadu is using > openSSL library for creating secure connections. > (...) > So the product using libgadu will be vulnerable to man-in-the-middle > attack.
It was rather a conscious decision. Since libgadu is a reverse-engineered implementation of a proprietary protocol, we have no control over the certificates used for SSL connections. We don't know which certificates will be accepted or rejected by the original client, so there is no reliable way to verify their validity in libgadu. But since you mentioned it, I guess we should at least add a note to the documentation. Regards, Wojtek _______________________________________________ libgadu-devel mailing list libgadu-devel@lists.ziew.org http://lists.ziew.org/mailman/listinfo/libgadu-devel