Python & SSL

John J. Lee jjl at pobox.com
Thu May 4 19:44:02 CEST 2006


Sybren Stuvel <sybrenUSE at YOURthirdtower.com.imagination> writes:

> John J. Lee enlightened us with:
> > Of course, remembering that the first thing to ask in response to
> > "is it secure?"  is "against what?", for lots of purposes it just
> > doesn't matter that it ignores certificates.
> 
> I'm curious. Can you give me an example? AFAIK you need to know who
> you're talking to before transmitting sensitive information, otherwise
> you could be talking to anybody - and that's just what you wanted to
> prevent with the encryption, right?

If Edward hadn't answered I would have said something along the lines
of what he said too, but more than that I just had in mind situations
where, when fetching a web page, the risk (probability and
consequences) of a man-in-the-middle attack doesn't feature much
higher than the risk of getting hit by a piece of debris from outer
space that day.  Surprisingly often, it so happens that the people
setting up the web site used https, even though as a user of the site
I don't really care about the encryption or authentication.

That doesn't mean proper certificate handling wouldn't be good to have
(it would), just that installing m2crypto and finding the right docs
isn't necessarily worth the bother.

BTW, I assume the reason the OP (I forgot who that was) didn't have
https support compiled in was just that they didn't have OpenSSL
installed when they typed ./configure (since the Python build process
on unix uses autoconf).  Either that or they installed a system
package to get Python (e.g. an .rpm) and the SSL support is is a
separate package (seems unlikely).


John




More information about the Python-list mailing list