#882 closed defect (duplicate)

does not verify SSL certificates for twitter/identica

Reported by: evgeni@… Owned by:
Priority: normal Milestone:
Component: Twitter Version: 3.0.4
Keywords: Cc:
IRC client+version: Client-independent Operating System: Linux
OS version/distro:



BitlBee seems not to verify the SSL certificates when connectecting to Twitter/, thus allowing MITM.

to reproduce:

  1. start a httpd with a random cert on port 443
  2. put "" in /etc/hosts
  3. start bitlbee and create a twitter or identica account


httpd sees in its log:

(twitter) - - [01/Jan/2012:22:15:39 +0100] "POST /oauth/request_token HTTP/1.0" 404 1576 "-" "-" - - [01/Jan/2012:22:15:44 +0100] "POST /oauth/request_token HTTP/1.0" 404 1576 "-" "-" - - [01/Jan/2012:22:15:59 +0100] "POST /oauth/request_token HTTP/1.0" 404 1576 "-" "-"
(identica) - - [01/Jan/2012:22:16:17 +0100] "GET /api/friends/ids.xml?cursor=-1 HTTP/1.0" 404 1576 "-" "BitlBee 3.0.4+bzr855-1 Linux/x86_64" - - [01/Jan/2012:22:16:22 +0100] "GET /api/friends/ids.xml?cursor=-1 HTTP/1.0" 404 1576 "-" "BitlBee 3.0.4+bzr855-1 Linux/x86_64"

expected: warning, the cert does not match, ask the user to continue or not

Attachments (0)

Change History (1)

comment:1 Changed at 2012-01-01T21:28:59Z by wilmer

Priority: criticalnormal
Resolution: duplicate
Status: newclosed


It's even fixed already. Checking for dupes before opening alarmist tickets would be appreciated. Who knows how many SSL client implementations do this. BitlBee is fixed since a few weeks ago, just enable it in bitlbee.conf if you care.

Also, start using OAuth for

Modify Ticket

as closed The ticket will remain with no owner.
The resolution will be deleted.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.