Pidgin certificate prompt

16 Dec
2008

Today using the version of Pidgin that came with Fedora 10 I received the following certificate prompt:

Accept certificate for ows.messenger.msn.com?
The root certificate this one claims to be issued by is unknown to Pidgin.

The majority of cases of unknown certificate issuers are due to the chain of trust breaking down. This break down in the certificate chain is mainly caused by the software in question not including the intermediate certificate authorities certificates. Without these intermediate certificates the software can not verify through the certificate hierarchy up till the root certificate and therefore prompts the user about what to do.

The options I received in the Pidgin prompt were:

View certificate
Accept
Reject

Upon selecting “View certificate” I am presented with the following details:

Common name: ows.messenger.msn.com
Fingerprint (SHA1): a9:9c:2d:ee:4a:d1:c8:7d:a7:c5:c3:05:32:98:5f:ee:57:87:73:8a
Activation date: Tue Jan 29 14:37:21 2008
Expiration date: Wed Jan 28 14:37:21 2009

So far everything looks as it is a bona fide certificate but to verify the identity completely I load the page https://ows.messenger.msn.com/ in Firefox. As expected no certificate warnings were received and I opened the certificate viewer to see its details and confirmed the data matches up with the data received in Pidgin:

certificate

Certificate Viewer

I can safely trust this certificate as Firefox has verified through the certificate chain that all intermediate certificates are valid too:

certificate_chain

Certificate Chain

This certificate is simply used by Microsoft for the Live Messenger offline messaging service. Although you normally would trust verified certificates it did happen in the past that certificates were incorrectly issued to the wrong people. So always be cautious!

2 Responses to Pidgin certificate prompt

Avatar

Otto Stripunsky

November 24th, 2009 at 14:27

Is it possible to ignore those prompts, like to make it always accept it?
I use pidgin in my company’s network and everytime the network falls down (which happens a couple times a day) I have to accept the certificate again.

Avatar

mr-euro

November 24th, 2009 at 16:08

@Otto Stripunsky

Usually once you accept the certificate it will be saved permanently and no more prompts will show up (for that particular one)

What may happen in your situation is that the certificate is different, perhaps you are experiencing some type of man in the middle attack by your company’s sys admins. This can happen to monitor conversations.

Comment Form

top