|
Size: 2641
Comment:
|
← Revision 21 as of 2012-01-01 21:52:45 ⇥
Size: 2730
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 9: | Line 9: |
| ||bti||Yes||Yes|| || || libcurl3-gnutls || identi.ca backend, didn't test twitter || | ||[[http://gregkh.github.com/bti/|bti]]||Yes||Yes|| ||[[https://github.com/gregkh/bti/issues/21|bti issue 21]]|| libcurl3-gnutls || identi.ca backend, didn't test twitter || |
Inspired by gwibber bypasses certificate checking when providing the login/password for OAuth, I started looking in other (microblogging) applications whether they do proper SSL certificate checks or not.
Note 1: While I think paid SSL certificates are snake oil, the user should be able to trust the app that it is connecting to a "verified" (= already known) host.
Note 2: Not all listed apps are packaged in Debian, I'm just abusing wiki.d.o as a "generic" wiki-host.
appplication |
vulnerable? |
in Debian |
Debian Bug |
Upstream Bug |
library used |
affected parts |
Yes |
Yes |
|
|
fixed upstream, not in debian yet, not enabled by default |
||
Yes |
Yes |
|
libcurl3-gnutls |
identi.ca backend, didn't test twitter |
||
choqok |
No |
Yes |
|
|
|
|
Yes |
Yes |
python's urllib2 |
reported against identi.ca backend, looking at the source says all backends |
|||
No |
No |
|
python's urllib2 |
identi.ca |
||
Yes |
Yes |
|
python WebKit? |
tested with identi.ca, twitter should be too |
||
pidgin-microblog |
No |
Yes |
|
|
curl? |
does not use SSL by default on identi.ca, fine otherwise |
Yes |
Yes |
|
|
tested with identi.ca |
||
Yes |
No |
|
librest |
doesn't SSL at all by default, after patching the identi.ca urls failed as expected |
||
No |
Yes |
|
|
qt4 |
|
|
No |
Yes |
|
|
mono |
|
|
ttytter |
No |
Yes |
|
|
curl |
needs -ssl to enable ssl |
Yes |
Yes |
|
python's urllib2 |
identi.ca does not use HTTPS by default, fails after patching. twitter fails immediately |
||
twidge |
No |
Yes |
|
|
|
|
Yes |
only lenny |
|
|
libsoup |
no OAuth support, useless atm |