Comment 7 for bug 882062

OK, after testing the patches and looking some more through the code, it
appears there are still some certificate validation issues:

On Lucid-Oneiric:
ubuntuone/syncdaemon/action_queue.py:

Uses twisted.internet.reactor.connectSSL. Unfortunately, connectSSL does
not validate the hostname against the certificate commonName (and subject
alternative names) itself, it is up to the application to enforce this.

ubuntuone-client must add this check, or a MITM can simply use any valid
certificate issued by a CA.

On Maverick:
ubuntuone/api/restclient.py: still uses urllib2 to open https connections
without proper certificate validation.

On Lucid:
bin/ubuntuone-preferences: uses httplib to open https connections without
proper certificate validation.

ubuntuone/oauthdesktop/auth.py: used httplib to open https connections.
Seems to validate certificates, but doesn't validate hostname against them.