Hi Wojtek,

Sorry, I have a doubt. I would like to know how certificate validation is
performed in the proprietary protocol and why something similar cannot be
performed in this case?

On Tue, Jun 4, 2013 at 4:41 AM, Wojtek Kaniewski <wojte...@toxygen.net>wrote:

> Dnia 2013-06-02, nie o godzinie 19:02 +0530, Radhesh Krishnan K pisze:
> > I would like to report a security bug in libgadu.  libgadu is using
> > openSSL library for creating secure connections.
> > (...)
> > So the product using libgadu will be vulnerable to  man-in-the-middle
> > attack.
> It was rather a conscious decision. Since libgadu is a
> reverse-engineered implementation of a proprietary protocol, we have no
> control over the certificates used for SSL connections. We don't know
> which certificates will be accepted or rejected by the original client,
> so there is no reliable way to verify their validity in libgadu. But
> since you mentioned it, I guess we should at least add a note to the
> documentation.
> Regards,
> Wojtek


Radhesh Krishnan K.
libgadu-devel mailing list

Reply via email to