Diff for "EvgeniGolov/SSL_Verification_Fails"

Differences between revisions 11 and 15 (spanning 4 versions)

Inspired by gwibber bypasses certificate checking when providing the login/password for OAuth, I started looking in other (microblogging) applications whether they do proper SSL certificate checks or not.

Note 1: While I think paid SSL certificates are snake oil, the user should be able to trust the app that it is connecting to a "verified" (= already known) host.

Note 2: Not all listed apps are packaged in Debian, I'm just abusing wiki.d.o as a "generic" wiki-host.

appplication	vulnerable?	in Debian	Debian Bug	Upstream Bug	library used	affected parts
bitlbee	Yes	Yes				tested identi.ca only
bti	Yes	Yes			libcurl3-gnutls	identi.ca backend, didn't test twitter
choqok	No	Yes
gwibber	Yes	Yes	608724	LP:705363	python's urllib2	reported against identi.ca backend, looking at the source says all backends
heybuddy	No	No		LP:798300	python's urllib2	identi.ca
hotot	Yes	Yes		hotot issue 388	python WebKit?	tested with identi.ca, twitter should be too
pidgin-microblog	No	Yes			curl?	does not use SSL by default on identi.ca, fine otherwise
pino	Yes	Yes		pino issue 339		tested with identi.ca
pino3	Yes	No		pino3 issue 21	librest	doesn't SSL at all by default, after patching the identi.ca urls failed as expected
qwit	No	Yes			qt4
smuxi	No	Yes			mono
ttytter	No	Yes			curl	needs -ssl to enable ssl
turpial	Yes	Yes	631422		python's urllib2	identi.ca does not use HTTPS by default, fails after patching. twitter fails immediately
twidge	No	Yes
twitux	Yes	Yes			libsoup	no OAuth support, useless atm

-  ⇤ ← Revision 11 as of 2011-07-03 09:58:27 → 
  Size: 2257
  Editor: EvgeniGolov
  Comment:
+   ← Revision 15 as of 2011-07-03 10:32:07 → ⇥
  Size: 2438
  Editor: EvgeniGolov
  Comment:
-Deletions are marked like this.
+Additions are marked like this.
 Line 8:
+||bitlbee||Yes||Yes|| || || ||tested identi.ca only||
-Line 9:
+Line 10:
+||choqok||No||Yes|| || || || ||
-Line 17:
+Line 19:
+||ttytter||No||Yes|| || ||curl||needs -ssl to enable ssl||
||[[http://turpial.org.ve/|turpial]]||Yes||Yes||DebianBug:631422|| ||python's urllib2||identi.ca does not use HTTPS by default, fails after patching. twitter fails immediately||
||twidge||No||Yes|| || || || ||
-Line 18:
+Line 23:
-||[[http://turpial.org.ve/|turpial]]||Yes||Yes||DebianBug:631422|| ||python's urllib2||identi.ca does not use HTTPS by default, fails after patching. twitter fails immediately||