Certificate validation with HTTPSConnection
Ned Deily
nad at acm.org
Wed Sep 29 18:24:01 EDT 2010
In article <4CA3A46B.4080006 at animats.com>,
John Nagle <nagle at animats.com> wrote:
> We've been through this. Too many times.
>
> http://bugs.python.org/issue1114345
> (2005: Broken in Python 2.2, eventually fixed)
>
> http://www.justinsamuel.com/2008/12/25/the-importance-of-validating-ssl-certif
> icates/
> (2008: Why this matters)
>
> http://www.mail-archive.com/python-list@python.org/msg281736.html
> (2010: Broken in new Python 2.6 SSL module.)
>
> http://bugs.python.org/issue1589
> (2010: Developer "Bill Jansen" in denial, others disagree.
> Currently being debated. See bug tracker.)
>
> The really stupid thing about the current SSL module is that it
> accepts a file of root certificates as a parameter, but ignores it.
> So it creates the illusion of security without providing it.
> As someone pointed out, the current SSL module "lets you talk
> encrypted to your attacker".
I'll just note in passing that Issue1589 is being discussed again. Feel
free to contribute.
--
Ned Deily,
nad at acm.org
More information about the Python-list
mailing list