Inspired by gwibber bypasses certificate checking when providing the login/password for OAuth, I started looking in other (microblogging) applications whether they do proper SSL certificate checks or not.
Note 1: While I think paid SSL certificates are snake oil, the user should be able to trust the app that it is connecting to a "verified" (= already known) host.
Note 2: Not all listed apps are packaged in Debian, I'm just abusing wiki.d.o as a "generic" wiki-host.
appplication |
in Debian |
Debian Bug |
Upstream Bug |
library used |
affected parts |
Yes |
python's urllib2 |
reported against identi.ca backend, looking at the source says all backends |
|||
No |
|
python's urllib2 |
identi.ca |
||
No |
|
python WebKit? |
tested with identi.ca, twitter should be too |
||
Yes |
|
|
tested with identi.ca |
||
No |
|
|
doesn't SSL at all by default, after patching the identi.ca urls failed as expected |