Gajim - 2019-12-02


  1. ewaf is it possible to configure gajim in a way that it doesn't trust certificates signed by a cert authority and that you have to manually trust them?
  2. lovetox no ewaf
  3. lovetox actually its possible on Windows
  4. lovetox in Gajim install dir, under Gajim\lib\python3.8\site-packages\certifi\cacert.pem
  5. lovetox delete the file then all certs are untrusted
  6. lovetox i dont recommend that though, an unknown amount of things will probably dont work anymore
  7. lovetox but try it out
  8. ewaf lovetox: what depends on that file?
  9. lovetox all http operations
  10. lovetox uploading files, downloading pictures etc
  11. ewaf wow
  12. ewaf why isn't there an option to mark all cas as untrusted?
  13. ewaf not proding such an option makes users vulnerable to mitm attacks
  14. ewaf if an adversary could get a valid cert
  15. lovetox because not enough people need that to justify the added complexity
  16. lovetox yeah ewaf guess what, most people are not hunted by the NSA
  17. ewaf but the ca trust model is fundamentally flawed. I don't want to be uncertain every time I use a public wifi or something that someone might be able to read my messges. (I use OMEMO anyways, but for public group chats, I don't want that, for example.)
  18. ewaf i think i'm gonna make a pr for this
  19. Link Mauve In the past Gajim would pop a popup whenever the certificate changed.
  20. Link Mauve This was hell for users, as every two months on some servers there was a change.
  21. ewaf lovetox: btw, will you sign commits, tags and binaries now?
  22. ewaf Link Mauve: why would you remove it without an option to enable it back on?
  23. Link Mauve ewaf, because it is a security downgrade to train users to ignore warnings as they are benign.
  24. ewaf Link Mauve: but you could hide it under advanced options somewhere, for users that are, well, 'advanced'.
  25. Link Mauve ewaf, note that this is unrelated to CAs.
  26. Link Mauve ewaf, dunno, I guess for the zero users who will benefit from that option it could be useful.
  27. Link Mauve But zero is a quite low number for code that has to be maintained.
  28. ewaf "ewaf, note that this is unrelated to CAs." what?
  29. ewaf i want to check if the certificate supplied by the server is the one the admin generated
  30. ewaf for me, CAs don't matter
  31. ewaf as long as i can be sure that i use the cert the admin set up
  32. Link Mauve Yes, so that’s unrelated.
  33. ewaf welp, guess I'll have to become a python developer now
  34. lovetox in current master
  35. lovetox you can view the cert
  36. ewaf lovetox: is it possible to get notified when it changes?
  37. lovetox no
  38. lovetox only if its not valid
  39. lovetox and maybe we can save us both some time if i just tell you right now, Gajim does not target some whisteblowers that try to escape NSA
  40. lovetox i suggest finding other whistleblowers and write your own super secure messenger
  41. bot Philipp Hörist pushed 3 commits to branch _refs/heads/master_ of _gajim_ < https://dev.gajim.org/gajim/gajim >: https://conference.gajim.org:5281/pastebin/fd933d03-ee70-46af-ae27-84e9f7de9486
  42. bot André proposed a new merge request for _gajim/master_ < https://dev.gajim.org/gajim/gajim/merge_requests/547 >: Update Appdata file