Deficiency in urllib/socket for https?
John J. Lee
jjl at pobox.com
Fri Aug 22 17:31:31 EDT 2003
Gary Feldman <gafStopSpamData at ziplink.stopallspam.net> writes:
> On 22 Aug 2003 15:47:59 +0100, jjl at pobox.com (John J. Lee) wrote:
>
> Thanks for your extensive reply. All I can say is that any environment
> that silently does https interactions without verifying the certificate,
> and without loudly warning the user, is a security catastrophe waiting to
> happen. While I don't claim to be a web security expert, I've spent enough
[...]
> Even if it's just a clearly labelled warning in urlopen saying that it
> ignores https certification errors, which by definition defeats a primary
> purpose of https (it gets you encryption but no authentication).
[...]
You're right -- with the caveat that it is useful to have https even
without authentication (essentially all https traffic on the internet
proves that ;-).
Would you mind submitting a doc patch (both urllib and urllib2 docs
appear to need fixing -- urllib2 to say that it never verifies, urllib
to say that it skips verification if an appropriate x509 mapping isn't
supplied)?
John
More information about the Python-list
mailing list