Make PyOpenSSL mandatory to prevent MITM

[js]

We should make PyOpenSSL mandatory, as with Python's SSL sockets, no certificate checking is possible at all. That opens doors and windows for man-in-the-middle attacks, rendering SSL completely useless.

We should just add PyOpenSSL as a mandatory dependency and kill support for Python's SSL sockets. IMO, this is a security issue, thus priority is highest.

[asterix]

-1, if you don't care about security why should we force user to install pyopenssl? Maybe a warning at connection time (that we can ignore)

[js]

I *CARE* for security (why do you think I don't care?! oO), that's why I want for FORBID the user to use insecure SSL.

Gajim should be usable by the average user. The average user will just click "ok" and use an insecure connection. IMO, that's just like not using SSL at all. Why would I use SSL if it doesn't provide ANY extra security over non-SSL connections because the cert is not verified? It's just waste of CPU then as it does NOTHING security-wise.

Please name *ONE* reason why one would actually use Python's SSL sockets.

[steve-e]

Pyopenssl is an extra dependencie. We should not require it if we don't have to.

It can be included in the windows build and it will be availible for all people using major distributions. But we just shouldn't force a user to install it, if he maybe can't port it to his cellphone.

[js]

steve-e, I understand that as there's no PyOpenSSL for python 2.5 in MacPorts? atm. But IMO, a warning dialog isn't the right way. It should be an extra switch like --use-python-ssl-sockets or something with which you have to start Gajim, so you can be *ABSOLUTELY* sure it's not started with Python's SSL Sockets by mistake (average joe will likely just click ok without even reading it).

[asterix]

by "You" I meant "A user"

And I also think it's a packager choice, not Gajim choice to force users to use pyopenssl.

[js]

Ok, it might be a packager choise. But we should make the user ultra-aware of the fact that his connection is insecure. A normal warning dialog won't do it IMO, most user just click ok to get it away.

[steve-e]

IMHO a user that is advanced enough to download the gajim sources and compile them, will also understand the security problem he might have.

The rest will always use openssl and never have a problem.

[js]

That will not warn users of a package done by a stupid maintainer which didn't include PyOpenSSL as a dep. Additionally, PyOpenSSL is a runtime app, so for some reason, it might fail to load it and then we just show a warning - that's bad IMO.

[asterix]

we can't handle bad pyopenssl installation. And if for some (obscure) reason a user want to run Gajim without pyopenssl, I don't see why we would forbid that. We allow plain text connection too !

I vote for wontfix

[js]

Ok, maybe we should not forbid that, but make it really hard to start it without PyOpenSSL, so that the user is ultra-aware of the fact that his connection is insecure. Same as we do for unencrypted connections.

[asterix]

if it's hard to use, it's for advanced users, and I don't see why advanced users would want unsecure connection for than noobs.

[js]

It should be hard to use so that noobs don't use it. They don't know what security risk it is. On the other side, there ARE advanced users that want it, for example, MacPorts? users, as there's no PyOpenSSL for Python 2.5 yet. I can't think of a reason why ANY noob should use an insecure connection.

We should force noobs to use secure stuff, but let advanced users chose theirselves.

[asterix]

you mean Mac users are all advanced users? I thought Mac was easy to use for noobs ...

[js]

No, but users of Gajim on MacOS X *HAVE* to be advanced users, considering the state of the OS X port ;).

[asterix]

what about an advanced option? enable_standard_ssl, False by default, and on Gajim startup, we check if PyOpenSSL is installed and show a dialog and quit?

[js]

So, you mean like this: PyOpenSSL is not installed. The user wants to connect. We check for enable_python_ssl. It is set to false. We disconnect and show a dialog. Is this what you mean? If so, that's exactly what I wanted :).

[asterix]

That's exactly what I mean.

[js]

Ok, time to hack then :).

[asterix]

(In [9886]) warn before connecting without PyOpenSSL. fixes #4065