Evgeni Golov
2011-Jun-23 17:55 UTC
[Secure-testing-team] Bug#631422: does not use SSL on identi.ca / ignores SSL certificates on Twitter
Package: turpial Version: 1.5.0-1 Severity: grave Tags: security Hi, Inspired by the same bug in gwibber (https://bugs.launchpad.net/gwibber/+bug/705363), heybuddy (https://bugs.launchpad.net/heybuddy/+bug/798300) and pino (http://code.google.com/p/pino-twitter/issues/detail?id=339) I checked turpial and it failed the same way :( For identi.ca HTTPS is not even used (username/password are sent as plaintext to the server). Editing api/protocols/identica/identica.py to use https://identi.ca/api as API endpoint does not help much, SSL is used but certificates aren''t checked, making man in the middle attacks possible. For Twitter HTTPS is used, but the same no-cert-verify flaw applies here. regards Evgeni Golov -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, ''unstable''), (1, ''experimental'') Architecture: amd64 (x86_64) Kernel: Linux 3.0.0-rc3+ (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages turpial depends on: ii gstreamer0.10-plugins-base 0.10.34-1 GStreamer plugins from the "base" ii python 2.6.6-14 interactive high-level object-orie ii python-gst0.10 0.10.21-2+b1 generic media-playing framework (P ii python-gtk2 2.24.0-2 Python bindings for the GTK+ widge ii python-gtkspell 2.25.3-10 Python bindings for the GtkSpell l ii python-notify 0.1.1-2+b3 Python bindings for libnotify ii python-oauth 1.0.1-3 Python library implementing of the ii python-pkg-resources 0.6.16-1 Package Discovery and Resource Acc ii python-simplejson 2.1.6-1 simple, fast, extensible JSON enco ii python-webkit 1.1.8-2 WebKit/Gtk Python bindings ii python2.6 2.6.7-1 An interactive high-level object-o ii python2.7 2.7.2-1 An interactive high-level object-o turpial recommends no packages. turpial suggests no packages. -- no debconf information