Size: 1800
Comment:
|
Size: 1776
Comment:
|
Deletions are marked like this. | Additions are marked like this. |
Line 8: | Line 8: |
||[[http://gwibber.com/|gwibber]]||Yes||[[http://bugs.debian.org/608724|#608724]]||[[https://bugs.launchpad.net/gwibber/+bug/705363|LP:705363]]||python's urllib2||reported against identi.ca backend, looking at the source says all backends|| | ||[[http://gwibber.com/|gwibber]]||Yes||DebianBug:608724||[[https://bugs.launchpad.net/gwibber/+bug/705363|LP:705363]]||python's urllib2||reported against identi.ca backend, looking at the source says all backends|| |
Line 10: | Line 10: |
||[[http://www.hotot.org/|hotot]]||No|| ||[[http://code.google.com/p/hotot/issues/detail?id=388|hotot issue 388]]||python !WebKit?||tested with identi.ca, twitter should be too|| | ||[[http://www.hotot.org/|hotot]]||Yes|| ||[[http://code.google.com/p/hotot/issues/detail?id=388|hotot issue 388]]||python !WebKit?||tested with identi.ca, twitter should be too|| |
Inspired by gwibber bypasses certificate checking when providing the login/password for OAuth, I started looking in other (microblogging) applications whether they do proper SSL certificate checks or not.
Note 1: While I think paid SSL certificates are snake oil, the user should be able to trust the app that it is connecting to a "verified" (= already known) host.
Note 2: Not all listed apps are packaged in Debian, I'm just abusing wiki.d.o as a "generic" wiki-host.
appplication |
in Debian |
Debian Bug |
Upstream Bug |
library used |
affected parts |
Yes |
python's urllib2 |
reported against identi.ca backend, looking at the source says all backends |
|||
No |
|
python's urllib2 |
identi.ca |
||
Yes |
|
python WebKit? |
tested with identi.ca, twitter should be too |
||
Yes |
|
|
tested with identi.ca |
||
No |
|
librest |
doesn't SSL at all by default, after patching the identi.ca urls failed as expected |
||
Yes |
|
python's urllib2 |
identi.ca does not use HTTPS by default, fails after patching. twitter fails immediately |