"If you don't look carefully, it may appear that the NSS plugin doesn't do any validation of the SSL certificates, but that isn't the case; the validation is done, just not by the SSL_AuthCertificateHook hook."

"If you look at ssl-nss.c#l454, you'll see that before the SSL connection is considered "connected" from libpurple's perspective, ssl_nss_handshake_cb is called to validate the certificate using the libpurple's purple_certificate_verify functionality."

This is why you don't jump to conclusions, throw out an emotional diatribe, and generally make an ass of yourself when writing bug reports.