Modify ↓
Opened at 2012-01-01T21:22:31Z
Closed at 2012-01-01T21:28:59Z
#882 closed defect (duplicate)
does not verify SSL certificates for twitter/identica
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | Version: | 3.0.4 | |
| Keywords: | Cc: | ||
| IRC client+version: | Client-independent | Operating System: | Linux |
| OS version/distro: |
Description
Heya,
BitlBee seems not to verify the SSL certificates when connectecting to Twitter/identi.ca, thus allowing MITM.
to reproduce:
- start a httpd with a random cert on port 443
- put "127.0.0.1 identi.ca api.identi.ca api.twitter.com twitter.com" in /etc/hosts
- start bitlbee and create a twitter or identica account
result:
httpd sees in its log:
(twitter) 127.0.0.1 - - [01/Jan/2012:22:15:39 +0100] "POST /oauth/request_token HTTP/1.0" 404 1576 "-" "-" 127.0.0.1 - - [01/Jan/2012:22:15:44 +0100] "POST /oauth/request_token HTTP/1.0" 404 1576 "-" "-" 127.0.0.1 - - [01/Jan/2012:22:15:59 +0100] "POST /oauth/request_token HTTP/1.0" 404 1576 "-" "-" (identica) 127.0.0.1 - - [01/Jan/2012:22:16:17 +0100] "GET /api/friends/ids.xml?cursor=-1 HTTP/1.0" 404 1576 "-" "BitlBee 3.0.4+bzr855-1 Linux/x86_64" 127.0.0.1 - - [01/Jan/2012:22:16:22 +0100] "GET /api/friends/ids.xml?cursor=-1 HTTP/1.0" 404 1576 "-" "BitlBee 3.0.4+bzr855-1 Linux/x86_64"
expected: warning, the cert does not match, ask the user to continue or not
Attachments (0)
Change History (1)
comment:1 Changed at 2012-01-01T21:28:59Z by
| Priority: | critical → normal |
|---|---|
| Resolution: | → duplicate |
| Status: | new → closed |
Note: See
TracTickets for help on using
tickets.
#369
It's even fixed already. Checking for dupes before opening alarmist tickets would be appreciated. Who knows how many SSL client implementations do this. BitlBee is fixed since a few weeks ago, just enable it in bitlbee.conf if you care.
Also, start using OAuth for identi.ca.