date: 2014-10-22T00:00:00.000Z
summary: Insufficient SSL certificate validation
An anonymous person and Jacob Appelbaum of the Tor Project, with thanks to
Moxie Marlinspike for first publishing about this type of vulnerability
Both of libpurple's bundled SSL/TLS plugins (one for GnuTLS and one for NSS)
failed to check that the Basic Constraints extension allowed intermediate
certificates to act as CAs. This allowed anyone with any valid certificate to
create a fake certificate for any arbitrary domain and Pidgin would trust it.
Both bundled plugins were changed to check the Basic Constraints extension on
all intermediate CA certificates.