ewafis it possible to configure gajim in a way that it doesn't trust certificates signed by a cert authority and that you have to manually trust them?
lovetoxno ewaf
lovetoxactually its possible on Windows
lovetoxin Gajim install dir, under Gajim\lib\python3.8\site-packages\certifi\cacert.pem
lovetoxdelete the file then all certs are untrusted
lovetoxi dont recommend that though, an unknown amount of things will probably dont work anymore
lovetoxbut try it out
ewaflovetox: what depends on that file?
lovetoxall http operations
lovetoxuploading files, downloading pictures etc
ewafwow
ewafwhy isn't there an option to mark all cas as untrusted?
ewafnot proding such an option makes users vulnerable to mitm attacks
ewafif an adversary could get a valid cert
lovetoxbecause not enough people need that to justify the added complexity
lovetoxyeah ewaf guess what, most people are not hunted by the NSA
ewafbut the ca trust model is fundamentally flawed. I don't want to be uncertain every time I use a public wifi or something that someone might be able to read my messges. (I use OMEMO anyways, but for public group chats, I don't want that, for example.)
ewafi think i'm gonna make a pr for this
Link MauveIn the past Gajim would pop a popup whenever the certificate changed.
Link MauveThis was hell for users, as every two months on some servers there was a change.
ewaflovetox: btw, will you sign commits, tags and binaries now?
ewafLink Mauve: why would you remove it without an option to enable it back on?
Link Mauveewaf, because it is a security downgrade to train users to ignore warnings as they are benign.
ewafLink Mauve: but you could hide it under advanced options somewhere, for users that are, well, 'advanced'.
Link Mauveewaf, note that this is unrelated to CAs.
Link Mauveewaf, dunno, I guess for the zero users who will benefit from that option it could be useful.
Link MauveBut zero is a quite low number for code that has to be maintained.
ewaf"ewaf, note that this is unrelated to CAs." what?
ewafi want to check if the certificate supplied by the server is the one the admin generated
ewaffor me, CAs don't matter
ewafas long as i can be sure that i use the cert the admin set up
Link MauveYes, so that’s unrelated.
ewafwelp, guess I'll have to become a python developer now
lovetoxin current master
lovetoxyou can view the cert
ewaflovetox: is it possible to get notified when it changes?
lovetoxno
lovetoxonly if its not valid
lovetoxand maybe we can save us both some time if i just tell you right now, Gajim does not target some whisteblowers that try to escape NSA
lovetoxi suggest finding other whistleblowers and write your own super secure messenger
botPhilipp Hörist pushed 3 commits to branch _refs/heads/master_ of _gajim_ < https://dev.gajim.org/gajim/gajim >:
https://conference.gajim.org:5281/pastebin/fd933d03-ee70-46af-ae27-84e9f7de9486
botAndré proposed a new merge request for _gajim/master_ < https://dev.gajim.org/gajim/gajim/merge_requests/547 >:
Update Appdata file