[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate
david
report at bugs.python.org
Wed Sep 29 16:39:56 CEST 2010
david <db.pub.mail at gmail.com> added the comment:
Welcome to 2010.
SSL shouldn't be difficult to use anymore or support in python applications. But yet, until the changes in http://bugs.python.org/issue9983 was fixed python devs were using modules without any warning of the security implications. pycurl works ... but a *LOT* of coders are not using pycurl.
Today they are still getting it wrong and are still vulnerable to mitm attacks against https on the client side.
I have an example in fairly large open source project:
bzr --> (by default due to a dependency failure ... on not depending on pycurl).
https://bugs.edge.launchpad.net/ubuntu/+source/checkbox/+bug/625076
Less large:
libcloud http://github.com/apache/libcloud/issues/issue/2
linode-python http://github.com/tjfontaine/linode-python/issues/issue/1
I would *very* much like to see these methods fixed by default.
You can talk about how the ssl protocol is not secure because of ca's handling certificates poorly, but until you *actually* perform proper validation you cannot say these things imho.
I can keep on looking at python projects and reporting these issues but it is really easy, just look at anything that says and is important that mitm isn't possible against it -> then check the deps. in ubuntu /debian and pick the ones that don't use pycurl, check they don't validate the common name etc. and then you have a bunch of mitm'able apps probably ;)
----------
nosy: +db
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue1589>
_______________________________________
More information about the Python-bugs-list
mailing list