Zulip Desktop 0.5.10 introduced a certificate validation handler to support the undocumented ignoreCerts option available by manually editing the configuration file. However, the handler inadvertently disabled all certificate validation, whether or not ignoreCerts was enabled, except during initial association with the server.
The Zulip security team discovered this issue during internal auditing. All versions of Zulip Desktop from 0.5.10 through 5.1.0 are affected.
We have fixed the validation handler to correctly respect the ignoreCerts option, which safely defaults to false. We do not recommend enabling the ignoreCerts option, and we expect to remove it completely in a future release. (Administrators of self-hosted servers should install a valid certificate, as we have always recommended; see our documentation on using Certbot.)
Zulip Desktop 0.5.10 introduced a certificate validation handler to support the undocumented
ignoreCertsoption available by manually editing the configuration file. However, the handler inadvertently disabled all certificate validation, whether or notignoreCertswas enabled, except during initial association with the server.The Zulip security team discovered this issue during internal auditing. All versions of Zulip Desktop from 0.5.10 through 5.1.0 are affected.
We have fixed the validation handler to correctly respect the
ignoreCertsoption, which safely defaults tofalse. We do not recommend enabling theignoreCertsoption, and we expect to remove it completely in a future release. (Administrators of self-hosted servers should install a valid certificate, as we have always recommended; see our documentation on using Certbot.)