lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <AANLkTik0+GT6xLR_3QGkfwz2SqPETYir+OUDNscj0une@mail.gmail.com>
Date: Mon, 28 Feb 2011 00:57:18 +1100
From: dave b <db.pub.mail@...il.com>
To: bk <chort0@...il.com>
Cc: full-disclosure@...ts.grok.org.uk, security@...hon.org
Subject: Re: Python ssl handling could be better...

On 27 February 2011 18:36, bk <chort0@...il.com> wrote:
> On Nov 14, 2010, at 8:54 AM, dave b wrote:
>
>> Just when you thought it couldn't get worse...
>>
>> http://bugs.python.org/issue3596
>> http://bugs.python.org/issue4870
>
> As a follow-up to this, I recently started working with the python-twitter library (http://code.google.com/p/python-twitter/) that makes use of urllib2 for HTTPS requests, which in turn relies on httplib (that is shipped with Python).  Auditing all the way back down the stack of objects I didn't notice any parameters that override the defaults to require certificate verification, and in fact the ssl library for Python 2.6.5 (which is the latest on OpenBSD at least) does no verification of the server's cert by default.  I checked the page for httplib (http://docs.python.org/library/httplib) to see if I could pass a parameter to override the default (insane) behavior and found this helpful message: Warning This does not do any verification of the server’s certificate.
>
> So anyone using Python's built-in httplib (usually via urllib2) is screwed.
>
> You can't say you weren't warned (even Facebook has heard of Firesheep, there's no excuse).

The behaviour isn't that insane. While some of us disagree with it the
python developers are correct in saying that changing this behaviour
(by default) will break stuff.

Also thanks to some awesome work by Antoine Pitrou [0]
in python3.2   -->  "http.client.HTTPSConnection,
urllib.request.HTTPSHandler and
urllib.request.urlopen now take optional arguments to allow for
server certificate checking, as recommended in public uses of HTTPS. "


[0] - http://code.python.org/hg/branches/py3k/rev/86f97255bfc8

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ