If I am totally honest, the first thing I thought when I saw the changes in the diff was that it was done to make dcpp's simplistic implementation match the spec (or rather the other way around).
Changing the spec back to the way it was doesn't break any implementations as far as I know, all the more verbose version does is state explicitly what is to be done when the certificate is in a chain (as well as some subtle wording changes and a grammar fix or two). Although notably DC++'s implementation fails to accept several valid KEYP scenarios (based on original text) and some MITM attacks utilizing chains (as I understand it, I am by no means a security expert, unlike the guy I am proxying here). Realistically speaking DC++'s implementation would be fine in something like 9 cases out of 10. Considering that typically hubs do use self signed certificates over more complex setups. -- You received this bug notification because you are a member of Dcplusplus-team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/991342 Title: KEYP Vulnerability Status in DC++: New Bug description: With the current vulnerability with DC++'s current KEYP implementation the underlying issue seems to be this ... [2012-04-26 09:24] <Crise> anyways, the thing with keyp is entirely different problem... which is basically that it only verifies keyp on the peer level certificate and not on the whole chain as it should Crise has stated he has another source who knows the exploit but will not divulge in who he is. To manage notifications about this bug go to: https://bugs.launchpad.net/dcplusplus/+bug/991342/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~linuxdcpp-team Post to : [email protected] Unsubscribe : https://launchpad.net/~linuxdcpp-team More help : https://help.launchpad.net/ListHelp
