Modify

#882 closed defect (duplicate)

does not verify SSL certificates for twitter/identica

Reported by: evgeni@… Owned by:
Priority: normal Milestone:
Component: Twitter Version: 3.0.4
Keywords: Cc:
IRC client+version: Client-independent Operating System: Linux
OS version/distro:

Description

Heya,

BitlBee seems not to verify the SSL certificates when connectecting to Twitter/identi.ca, thus allowing MITM.

to reproduce:

  1. start a httpd with a random cert on port 443
  2. put "127.0.0.1 identi.ca api.identi.ca api.twitter.com twitter.com" in /etc/hosts
  3. start bitlbee and create a twitter or identica account

result:

httpd sees in its log:

(twitter)
127.0.0.1 - - [01/Jan/2012:22:15:39 +0100] "POST /oauth/request_token HTTP/1.0" 404 1576 "-" "-"
127.0.0.1 - - [01/Jan/2012:22:15:44 +0100] "POST /oauth/request_token HTTP/1.0" 404 1576 "-" "-"
127.0.0.1 - - [01/Jan/2012:22:15:59 +0100] "POST /oauth/request_token HTTP/1.0" 404 1576 "-" "-"
(identica)
127.0.0.1 - - [01/Jan/2012:22:16:17 +0100] "GET /api/friends/ids.xml?cursor=-1 HTTP/1.0" 404 1576 "-" "BitlBee 3.0.4+bzr855-1 Linux/x86_64"
127.0.0.1 - - [01/Jan/2012:22:16:22 +0100] "GET /api/friends/ids.xml?cursor=-1 HTTP/1.0" 404 1576 "-" "BitlBee 3.0.4+bzr855-1 Linux/x86_64"

expected: warning, the cert does not match, ask the user to continue or not

Attachments (0)

Change History (1)

comment:1 Changed at 2012-01-01T21:28:59Z by wilmer

Priority: criticalnormal
Resolution: duplicate
Status: newclosed

#369

It's even fixed already. Checking for dupes before opening alarmist tickets would be appreciated. Who knows how many SSL client implementations do this. BitlBee is fixed since a few weeks ago, just enable it in bitlbee.conf if you care.

Also, start using OAuth for identi.ca.

Modify Ticket

Action
as closed The ticket will remain with no owner.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.