please add a large NOTE explaining that urllib does not perform any ssl validation.

--> (out of the box)

Sounds reasonable to me.
(although I would like that to change, see issue1589)

This is issue is in respect to https connections :)

Hi pitrou, that bug you linked to is really long can state a summary of any changes made to python and their impact - alternatively the lack of (changes) and their impact.

> Hi pitrou, that bug you linked to is really long can state a summary
> of any changes made to python and their impact - alternatively the
> lack of (changes) and their impact.

No changes yet unfortunately. As for the impact, you already know it,
since you filed this very issue :/

I've added warnings for httplib, urllib, urllib2 in r85101, r85102 and r85103. The changes can take a day or two to appear online.

thank you :)

@pitrou you should also put an example of how to ACTUALLY establish a connection that can't be MITMed. Because lots of people are getting this wrong....

> @pitrou you should also put an example of how to ACTUALLY establish a
> connection that can't be MITMed. Because lots of people are getting
> this wrong....

It would require writing the code for checking hostnames that the ssl
module currently lacks, so if I write that code I'd rather add it to the
ssl module rather than as an example in the docs :)

But, yes, I agree that the situation is quite unsatisfying right now.

Yes totally imho these modules should get fixed to actually do ssl checking.
This means that most users of these methods, even if they think they
are doing it properly as per the ssl module page, are still vulnerable
to attack.

I will add this comment to the bug you linked to above.
As an example, it only took a few minutes to confirm that the default
bzr install on ubuntu is vulnerable ->
https://bugs.edge.launchpad.net/bzr/+bug/651161
(bzr is only vulnerable if pycurl isn't installed but pycurl is only a
suggestion not a dependency ... ).

Please don't say that "urllib does not perform any ssl validation". It certainly *does* perform ssl validation, namely it validates whether the payload received over ssl matches the certificate received from the server.

What it does not do is to validate the server certificate in any form (AFAIU).

@loewis yes.. that is assumed imho.
This ticket is closed, is this a real issue?

> What it does not do is to validate the server certificate in any form (AFAIU).

The warning I have added says “When opening HTTPS (or FTPS) URLs, it is
not attempted to validate the server certificate.”
(see http://docs.python.org/library/urllib.html )

So I don't think we have a disagreement here.

Yes, the new text is fine.