Diff for "EvgeniGolov/SSL_Verification_Fails"

Differences between revisions 10 and 19 (spanning 9 versions)

Inspired by gwibber bypasses certificate checking when providing the login/password for OAuth, I started looking in other (microblogging) applications whether they do proper SSL certificate checks or not.

Note 1: While I think paid SSL certificates are snake oil, the user should be able to trust the app that it is connecting to a "verified" (= already known) host.

Note 2: Not all listed apps are packaged in Debian, I'm just abusing wiki.d.o as a "generic" wiki-host.

appplication	vulnerable?	in Debian	Debian Bug	Upstream Bug	library used	affected parts
bitlbee	Yes	Yes		BitlBee ticket 882		tested identi.ca and twitter only
bti	Yes	Yes			libcurl3-gnutls	identi.ca backend, didn't test twitter
choqok	No	Yes
gwibber	Yes	Yes	608724	LP:705363	python's urllib2	reported against identi.ca backend, looking at the source says all backends
heybuddy	No	No		LP:798300	python's urllib2	identi.ca
hotot	Yes	Yes		hotot issue 388 closed as not a bug	python WebKit?	tested with identi.ca, twitter should be too
pidgin-microblog	No	Yes			curl?	does not use SSL by default on identi.ca, fine otherwise
pino	Yes	Yes		pino issue 339		tested with identi.ca
pino3	Yes	No		pino3 issue 21	librest	doesn't SSL at all by default, after patching the identi.ca urls failed as expected
qwit	No	Yes			qt4
smuxi	No	Yes			mono
ttytter	No	Yes			curl	needs -ssl to enable ssl
turpial	Yes	Yes	631422		python's urllib2	identi.ca does not use HTTPS by default, fails after patching. twitter fails immediately
twidge	No	Yes
twitux	Yes	only lenny			libsoup	no OAuth support, useless atm

-  ⇤ ← Revision 10 as of 2011-07-03 09:10:33 → 
  Size: 2170
  Editor: EvgeniGolov
  Comment:
+   ← Revision 19 as of 2012-01-01 21:27:01 → ⇥
  Size: 2611
  Editor: EvgeniGolov
  Comment:
-Deletions are marked like this.
+Additions are marked like this.
 Line 8:
+||[[http://bitlbee.org|bitlbee]]||Yes||Yes|| ||[[http://bugs.bitlbee.org/bitlbee/ticket/882|BitlBee ticket 882]]|| ||tested identi.ca and twitter only||
||bti||Yes||Yes|| || || libcurl3-gnutls  || identi.ca backend, didn't test twitter ||
||choqok||No||Yes|| || || || ||
-Line 10:
+Line 13:
-||[[http://www.hotot.org/|hotot]]||Yes||Yes|| ||[[http://code.google.com/p/hotot/issues/detail?id=388|hotot issue 388]]||python !WebKit?||tested with identi.ca, twitter should be too||
+||[[http://www.hotot.org/|hotot]]||Yes||Yes|| ||[[http://code.google.com/p/hotot/issues/detail?id=388|hotot issue 388]] [[https://github.com/shellex/Hotot/issues/15|closed as not a bug]]||python !WebKit?||tested with identi.ca, twitter should be too||
-Line 16:
+Line 19:
-||[[http://live.gnome.org/DanielMorales/Twitux|twitux]]||Yes||Yes|| || ||libsoup||no OAuth support, useless atm||
+||ttytter||No||Yes|| || ||curl||needs -ssl to enable ssl||
-Line 18:
+Line 21:
+||twidge||No||Yes|| || || || ||
||[[http://live.gnome.org/DanielMorales/Twitux|twitux]]||Yes||only lenny|| || ||libsoup||no OAuth support, useless atm||