Inspired by gwibber bypasses certificate checking when providing the login/password for OAuth, I started looking in other (microblogging) applications whether they do proper SSL certificate checks or not.

Note 1: While I think paid SSL certificates are snake oil, the user should be able to trust the app that it is connecting to a "verified" (= already known) host.

Note 2: Not all listed apps are packaged in Debian, I'm just abusing wiki.d.o as a "generic" wiki-host.

appplication

in Debian

Debian Bug

Upstream Bug

library used

affected parts

gwibber

Yes

608724

LP:705363

python's urllib2

reported against identi.ca backend, looking at the source says all backends

heybuddy

No

LP:798300

python's urllib2

identi.ca

hotot

Yes

hotot issue 388

python WebKit?

tested with identi.ca, twitter should be too

pino

Yes

pino issue 339

tested with identi.ca

pino3

No

pino3 issue 21

librest

doesn't SSL at all by default, after patching the identi.ca urls failed as expected

turpial

Yes

631422

python's urllib2

identi.ca does not use HTTPS by default, fails after patching. twitter fails immediately