GNOME Bugzilla – Bug 705326
User help suggests "ignore SSL certificate errors" option for Jabber accounts "if you trust the server you are connecting to"
Last modified: 2015-02-03 20:44:19 UTC
This is an excerpt from the "Jabber account details" page of the user guide: "Some Jabber servers may encrypt data using invalid certificates, or using certificates from unknown authorities. If you trust the server you are connecting to, you can select Ignore SSL certificate errors to allow encrypted communication with invalid certificates." This is not a valid reason to ignore SSL certificate errors, since it prevents you from knowing that you're connected to the trusted server. This paragraph should removed, at least. A description of how to add an unrecognized certificate would be better.
Thank you for filing the bug. Please feel free to provide a patch to make the page technically correct. Empathy help is currently in need of a review, and it is likely that account-jabber.page may be deleted altogether or rewritten and integrated into the help because it is currently not accessible from the index. As this is likely to still take some time, we would appreciate help to keep the existing documentation up to date.
Created attachment 253034 [details] [review] Caution users about using "Ignore SSL Errors" Trusting the server is no reason to ignore SSL errors. SSL is what you use to make sure you're talking to the server you trust
Sorry for the delay. I need to defer to the developers on the process for trusting a certificate in Telepathy (plus it's probably awfully different in Fedora than in the rest of the world right now), but this patch at least fixes the poor advice.
The future plan is to kill all SSL error / certificate dialogs. See http://www.superlectures.com/guadec2013/more-secure-with-less-security
I actually watched the entire talk and think it's a good plan. (Certainly a "break my SSL" checkbox seems like such a bad idea to me, but as it exists, the documentation needs to reflect that in a more appropriate way.) I believe there was also discussion about a future GUI for trusting certificates, so that we don't completely shut out self-signed certs.
(In reply to comment #2) > Created an attachment (id=253034) [details] [review] > Caution users about using "Ignore SSL Errors" > > Trusting the server is no reason to ignore SSL errors. SSL is what you > use to make sure you're talking to the server you trust This would be nice to have for 3.10. Good to push?
Review of attachment 253034 [details] [review]: Sorry for the late review! ::: help/C/account-jabber.page @@ +6,3 @@ <info> <desc>Advanced options for Jabber and Google Talk accounts.</desc> + <revision pkgversion="3.10" version="0.1" date="2013-08-24" status="review"> Please don't overwrite the original revision, append a second revision tag so that it looks like: <revision pkgversion="2.28" version="0.1" date="2009-08-27" status="review"> <revision pkgversion="3.10" date="2013-08-24" status="review"> @@ +54,3 @@ + <gui>Ignore SSL certificate errors</gui> to allow encrypted communication + with invalid certificates, but this allows an attacker to intercept your + communication with the server (including your password).</p> "Ignore SSL certificate errors" does not automatically allow someone to intercept communication. Think about when a certificate expires, the security of the connection does not change. You should definitely explain when it is worth ignoring certificate errors.
(In reply to comment #0) > This is not a valid reason to ignore SSL certificate errors, since it prevents > you from knowing that you're connected to the trusted server. Can you give an example of a valid reason? > A description of how to add an unrecognized > certificate would be better. Yes, please add this.
But if the cert is expired and you check "Ignore SSL errors," then attackers can silently intercept your connection, which defeats the purpose of having checked "Require SSL." Unless perhaps the server requires SSL, but the user is fine with an insecure connection? (I'm not an expert on any of these chat protocols, so I don't know if that's a possibility.) Stef - hope you don't mind being CCed on this - I watched your GUADEC talk and I'm curious how you'd recommend this option be documented? Thanks. > > A description of how to add an unrecognized > > certificate would be better. > > Yes, please add this. I don't want to volunteer to write that because I'm not familiar with the process and it doesn't look simple, sorry. (In reply to comment #7) > > Please don't overwrite the original revision, append a second revision tag so > that it looks like: > <revision pkgversion="2.28" version="0.1" date="2009-08-27" > status="review"> > <revision pkgversion="3.10" date="2013-08-24" status="review"> So that's how that works. :)
(In reply to comment #9) > But if the cert is expired and you check "Ignore SSL errors," then attackers > can silently intercept your connection, which defeats the purpose of having > checked "Require SSL." I mean, the user surely has no way of knowing whether the connection has been made with the invalid expired cert he expects, or a different malicious cert.
Sorry for the huge delay on this. So I stand by my original patch here, if the cert doesn't validate you have no clue who you're talking to. This is nothing more than a "please hack me" checkbox and we should document it as such; it's useful for testing or if the server is broken and you don't care about the security of your communications. I think the only thing I need to change from my original patch is the revision tag.