Deficiency in urllib/socket for https?

John J. Lee jjl at pobox.com
Fri Aug 22 23:31:31 CEST 2003


Gary Feldman <gafStopSpamData at ziplink.stopallspam.net> writes:

> On 22 Aug 2003 15:47:59 +0100, jjl at pobox.com (John J. Lee) wrote:
> 
> Thanks for your extensive reply.  All I can say is that any environment
> that silently does https interactions without verifying the certificate,
> and without loudly warning the user, is a security catastrophe waiting to
> happen.  While I don't claim to be a web security expert, I've spent enough
[...]
> Even if it's just a clearly labelled warning in urlopen saying that it
> ignores https certification errors, which by definition defeats a primary
> purpose of https (it gets you encryption but no authentication).
[...]

You're right -- with the caveat that it is useful to have https even
without authentication (essentially all https traffic on the internet
proves that ;-).

Would you mind submitting a doc patch (both urllib and urllib2 docs
appear to need fixing -- urllib2 to say that it never verifies, urllib
to say that it skips verification if an appropriate x509 mapping isn't
supplied)?


John




More information about the Python-list mailing list