[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Python ssl handling could be better...
- To: security@xxxxxxxxxx, dave b <db.pub.mail@xxxxxxxxx>, full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Python ssl handling could be better...
- From: bk <chort0@xxxxxxxxx>
- Date: Sat, 26 Feb 2011 23:36:06 -0800
On Nov 14, 2010, at 8:54 AM, dave b wrote:
> Just when you thought it couldn't get worse...
>
> http://bugs.python.org/issue3596
> http://bugs.python.org/issue4870
As a follow-up to this, I recently started working with the python-twitter
library (http://code.google.com/p/python-twitter/) that makes use of urllib2
for HTTPS requests, which in turn relies on httplib (that is shipped with
Python). Auditing all the way back down the stack of objects I didn't notice
any parameters that override the defaults to require certificate verification,
and in fact the ssl library for Python 2.6.5 (which is the latest on OpenBSD at
least) does no verification of the server's cert by default. I checked the
page for httplib (http://docs.python.org/library/httplib) to see if I could
pass a parameter to override the default (insane) behavior and found this
helpful message: Warning This does not do any verification of the server’s
certificate.
So anyone using Python's built-in httplib (usually via urllib2) is screwed.
You can't say you weren't warned (even Facebook has heard of Firesheep, there's
no excuse).
--
chort
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/