Differences between revisions 2 and 20 (spanning 18 versions)
Revision 2 as of 2011-06-18 11:34:02
Size: 1618
Editor: EvgeniGolov
Comment:
Revision 20 as of 2012-01-01 21:39:06
Size: 2641
Editor: EvgeniGolov
Comment:
Deletions are marked like this. Additions are marked like this.
Line 7: Line 7:
||'''appplication'''||'''in Debian'''||'''Debian Bug'''||'''Upstream Bug'''||'''library used'''||'''affected parts'''||
||[[http://gwibber.com/|gwibber]]||Yes||[[http://bugs.debian.org/608724|#608724]]||[[https://bugs.launchpad.net/gwibber/+bug/705363|LP:705363]]||python's urllib2||reported against identi.ca backend, looking at the source says all backends||
||[[http://www.jezra.net/projects/heybuddy|heybuddy]]||No|| || --([[https://bugs.launchpad.net/heybuddy/+bug/798300|LP:798300]])-- ||python's urllib2||identi.ca||
||[[http://www.hotot.org/|hotot]]||No|| ||[[http://code.google.com/p/hotot/issues/detail?id=388|hotot issue 388]]||python !WebKit?||tested with identi.ca, twitter should be too||
||[[http://pino-app.appspot.com|pino]]||Yes|| ||[[http://code.google.com/p/pino-twitter/issues/detail?id=339|pino issue 339]]|| ||tested with identi.ca||
||[[http://pino-app.appspot.com|pino3]]||No|| ||[[https://bitbucket.org/troorl/pino3/issue/21/pino3-should-use-ssl-https-and-validate|pino3 issue 21]]|| ||doesn't SSL at all by default, after patching the identi.ca urls failed as expected||
||'''appplication'''||'''vulnerable?'''||'''in Debian'''||'''Debian Bug'''||'''Upstream Bug'''||'''library used'''||'''affected parts'''||
||[[http://bitlbee.org|bitlbee]]||Yes||Yes|| ||--([[http://bugs.bitlbee.org/bitlbee/ticket/369|BitlBee ticket 369]])--|| ||fixed upstream, not in debian yet, not enabled by default||
||bti
||Yes||Yes|| || || libcurl3-gnutls || identi.ca backend, didn't test twitter ||
||choqok||No||Yes|| || || || ||
||
[[http://gwibber.com/|gwibber]]||Yes||Yes||DebianBug:608724||[[https://bugs.launchpad.net/gwibber/+bug/705363|LP:705363]]||python's urllib2||reported against identi.ca backend, looking at the source says all backends||
||[[http://www.jezra.net/projects/heybuddy|heybuddy]]||No||No|| || --([[https://bugs.launchpad.net/heybuddy/+bug/798300|LP:798300]])-- ||python's urllib2||identi.ca||
||[[http://www.hotot.org/|hotot]]||Yes||Yes|| ||[[http://code.google.com/p/hotot/issues/detail?id=388|hotot issue 388]] [[https://github.com/shellex/Hotot/issues/15|closed as not a bug]]||python !WebKit?||tested with identi.ca, twitter should be too||
||pidgin-microblog||No||Yes|| || ||curl?||does not use SSL by default on identi.ca, fine otherwise||
||
[[http://pino-app.appspot.com|pino]]||Yes||Yes|| ||[[http://code.google.com/p/pino-twitter/issues/detail?id=339|pino issue 339]]|| ||tested with identi.ca||
||[[http://pino-app.appspot.com|pino3]]||Yes||No|| ||[[https://bitbucket.org/troorl/pino3/issue/21/pino3-should-use-ssl-https-and-validate|pino3 issue 21]]|| librest ||doesn't SSL at all by default, after patching the identi.ca urls failed as expected||
||[[http://code.google.com/p/qwit/|qwit]]||No||Yes|| || ||qt4|| ||
||[[http://www.smuxi.org/|smuxi]]||No||Yes|| || ||mono|| ||
||ttytter||No||Yes|| || ||curl||needs -ssl to enable ssl||
||[[http://turpial.org.ve/|turpial]]||Yes||Yes||DebianBug:631422|| ||python's urllib2||identi.ca does not use HTTPS by default, fails after patching. twitter fails immediately||
||twidge||No||Yes|| || || || ||
||[[http://live.gnome.org/DanielMorales/Twitux|twitux]]||Yes||only lenny|| || ||libsoup||no OAuth support, useless atm||

Inspired by gwibber bypasses certificate checking when providing the login/password for OAuth, I started looking in other (microblogging) applications whether they do proper SSL certificate checks or not.

Note 1: While I think paid SSL certificates are snake oil, the user should be able to trust the app that it is connecting to a "verified" (= already known) host.

Note 2: Not all listed apps are packaged in Debian, I'm just abusing wiki.d.o as a "generic" wiki-host.

appplication

vulnerable?

in Debian

Debian Bug

Upstream Bug

library used

affected parts

bitlbee

Yes

Yes

BitlBee ticket 369

fixed upstream, not in debian yet, not enabled by default

bti

Yes

Yes

libcurl3-gnutls

identi.ca backend, didn't test twitter

choqok

No

Yes

gwibber

Yes

Yes

608724

LP:705363

python's urllib2

reported against identi.ca backend, looking at the source says all backends

heybuddy

No

No

LP:798300

python's urllib2

identi.ca

hotot

Yes

Yes

hotot issue 388 closed as not a bug

python WebKit?

tested with identi.ca, twitter should be too

pidgin-microblog

No

Yes

curl?

does not use SSL by default on identi.ca, fine otherwise

pino

Yes

Yes

pino issue 339

tested with identi.ca

pino3

Yes

No

pino3 issue 21

librest

doesn't SSL at all by default, after patching the identi.ca urls failed as expected

qwit

No

Yes

qt4

smuxi

No

Yes

mono

ttytter

No

Yes

curl

needs -ssl to enable ssl

turpial

Yes

Yes

631422

python's urllib2

identi.ca does not use HTTPS by default, fails after patching. twitter fails immediately

twidge

No

Yes

twitux

Yes

only lenny

libsoup

no OAuth support, useless atm