Hi Wojtek, Sorry, I have a doubt. I would like to know how certificate validation is performed in the proprietary protocol and why something similar cannot be performed in this case?
On Tue, Jun 4, 2013 at 4:41 AM, Wojtek Kaniewski <wojte...@toxygen.net>wrote: > Dnia 2013-06-02, nie o godzinie 19:02 +0530, Radhesh Krishnan K pisze: > > I would like to report a security bug in libgadu. libgadu is using > > openSSL library for creating secure connections. > > (...) > > So the product using libgadu will be vulnerable to man-in-the-middle > > attack. > > It was rather a conscious decision. Since libgadu is a > reverse-engineered implementation of a proprietary protocol, we have no > control over the certificates used for SSL connections. We don't know > which certificates will be accepted or rejected by the original client, > so there is no reliable way to verify their validity in libgadu. But > since you mentioned it, I guess we should at least add a note to the > documentation. > > Regards, > Wojtek > > > -- Regards, Radhesh Krishnan K.
_______________________________________________ libgadu-devel mailing list firstname.lastname@example.org http://lists.ziew.org/mailman/listinfo/libgadu-devel