| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <AC907D13-D79B-4A69-B619-31A47D0FDD56@gmail.com> Date: Sat, 26 Feb 2011 23:36:06 -0800 From: bk <chort0@...il.com> To: security@...hon.org, dave b <db.pub.mail@...il.com>, full-disclosure@...ts.grok.org.uk Subject: Re: Python ssl handling could be better... On Nov 14, 2010, at 8:54 AM, dave b wrote: > Just when you thought it couldn't get worse... > > http://bugs.python.org/issue3596 > http://bugs.python.org/issue4870 As a follow-up to this, I recently started working with the python-twitter library (http://code.google.com/p/python-twitter/) that makes use of urllib2 for HTTPS requests, which in turn relies on httplib (that is shipped with Python). Auditing all the way back down the stack of objects I didn't notice any parameters that override the defaults to require certificate verification, and in fact the ssl library for Python 2.6.5 (which is the latest on OpenBSD at least) does no verification of the server's cert by default. I checked the page for httplib (http://docs.python.org/library/httplib) to see if I could pass a parameter to override the default (insane) behavior and found this helpful message: Warning This does not do any verification of the server’s certificate. So anyone using Python's built-in httplib (usually via urllib2) is screwed. You can't say you weren't warned (even Facebook has heard of Firesheep, there's no excuse). -- chort _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists