Deficiency in urllib/socket for https?

Gary Feldman gafStopSpamData at ziplink.stopallspam.net
Fri Aug 22 19:47:30 CEST 2003


On 22 Aug 2003 15:47:59 +0100, jjl at pobox.com (John J. Lee) wrote:

Thanks for your extensive reply.  All I can say is that any environment
that silently does https interactions without verifying the certificate,
and without loudly warning the user, is a security catastrophe waiting to
happen.  While I don't claim to be a web security expert, I've spent enough
time dealing with such issues to know how critical this is, and how
important it is to be take responsibility for such issues at all times.
Even if it's just a clearly labelled warning in urlopen saying that it
ignores https certification errors, which by definition defeats a primary
purpose of https (it gets you encryption but no authentication).

>That sounds great if you have the time to write the code.  Nobody else
>is likely to.

I have the time at the moment (unfortunately).  I'm still working on the
Python expertise.

Gary





More information about the Python-list mailing list