Newbie question regarding SSL and certificate verification
John Nagle
nagle at animats.com
Thu Jul 29 12:08:32 EDT 2010
On 7/28/2010 10:23 PM, geremy condra wrote:
> On Wed, Jul 28, 2010 at 10:08 PM, John Nagle<nagle at animats.com> wrote:
>> On 7/28/2010 6:26 PM, geremy condra wrote:
>>>
>>> On Wed, Jul 28, 2010 at 4:41 PM, Jeffrey
>>> Gaynor<jgaynor at ncsa.uiuc.edu> wrote:
>
>> The new Python SSL module in 2.6 and later has a huge built-in
>> security hole - it doesn't verify the domain against the
>> certificate. As someone else put it, this means "you get to
>> talk securely with your attacker." As long as the site or proxy
>> has some valid SSL cert, any valid SSL cert copied from anywhere,
>> the new Python SSL module will tell you everything is just fine.
>>
>> John Nagle
>
> Did anything ever come of the discussion that you and Antoine had?
>
> Geremy Condra
>
> PS- the quote is due to Justin Samuel
I had to write my own domain check. Did anyone re-open the
bug report on that issue?
John Nagle
More information about the Python-list
mailing list