classification
Title: please add a large NOTE explaining that urllib does not perform any ssl validation
Type: Stage: resolved
Components: Documentation Versions: Python 3.1, Python 3.2, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: docs@python Nosy List: asdfasdfasdfasdfasdfasdfasdf, docs@python, giampaolo.rodola, loewis, orsenthil, pitrou
Priority: normal Keywords:

Created on 2010-09-29 11:11 by asdfasdfasdfasdfasdfasdfasdf, last changed 2010-09-29 21:15 by loewis. This issue is now closed.

Messages (15)
msg117596 - (view) Author: david (asdfasdfasdfasdfasdfasdfasdf) Date: 2010-09-29 11:11
please add a large NOTE explaining that urllib does not perform any ssl validation.
msg117597 - (view) Author: david (asdfasdfasdfasdfasdfasdfasdf) Date: 2010-09-29 11:12
--> (out of the box)
msg117598 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2010-09-29 11:12
Sounds reasonable to me.
(although I would like that to change, see issue1589)
msg117599 - (view) Author: david (asdfasdfasdfasdfasdfasdfasdf) Date: 2010-09-29 11:14
This is issue is in respect to https connections :)
msg117600 - (view) Author: david (asdfasdfasdfasdfasdfasdfasdf) Date: 2010-09-29 11:16
Hi pitrou, that bug you linked to is really long can state a summary of any changes made to python and their impact - alternatively the lack of (changes) and their impact.
msg117602 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2010-09-29 11:22
> Hi pitrou, that bug you linked to is really long can state a summary
> of any changes made to python and their impact - alternatively the
> lack of (changes) and their impact.

No changes yet unfortunately. As for the impact, you already know it,
since you filed this very issue :/
msg117603 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2010-09-29 11:32
I've added warnings for httplib, urllib, urllib2 in r85101, r85102 and r85103. The changes can take a day or two to appear online.
msg117604 - (view) Author: david (asdfasdfasdfasdfasdfasdfasdf) Date: 2010-09-29 11:41
thank you :)
msg117608 - (view) Author: david (asdfasdfasdfasdfasdfasdfasdf) Date: 2010-09-29 13:07
@pitrou you should also put an example of how to ACTUALLY establish a connection that can't be MITMed. Because lots of people are getting this wrong....
msg117609 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2010-09-29 13:11
> @pitrou you should also put an example of how to ACTUALLY establish a
> connection that can't be MITMed. Because lots of people are getting
> this wrong....

It would require writing the code for checking hostnames that the ssl
module currently lacks, so if I write that code I'd rather add it to the
ssl module rather than as an example in the docs :)

But, yes, I agree that the situation is quite unsatisfying right now.
msg117611 - (view) Author: david (asdfasdfasdfasdfasdfasdfasdf) Date: 2010-09-29 14:32
Yes totally imho these modules should get fixed to actually do ssl checking.
This means that most users of these methods, even if they think they
are doing it properly as per the ssl module page, are still vulnerable
to attack.

I will add this comment to the bug you linked to above.
As an example, it only took a few minutes to confirm that the default
bzr install on ubuntu is vulnerable ->
https://bugs.edge.launchpad.net/bzr/+bug/651161
(bzr is only vulnerable if pycurl isn't installed but pycurl is only a
suggestion not a dependency ... ).
msg117649 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2010-09-29 20:26
Please don't say that "urllib does not perform any ssl validation". It certainly *does* perform ssl validation, namely it validates whether the payload received over ssl matches the certificate received from the server.

What it does not do is to validate the server certificate in any form (AFAIU).
msg117650 - (view) Author: david (asdfasdfasdfasdfasdfasdfasdf) Date: 2010-09-29 20:31
@loewis yes.. that is assumed imho.
This ticket is closed, is this a real issue?
msg117651 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2010-09-29 20:40
> What it does not do is to validate the server certificate in any form (AFAIU).

The warning I have added says “When opening HTTPS (or FTPS) URLs, it is
not attempted to validate the server certificate.”
(see http://docs.python.org/library/urllib.html )

So I don't think we have a disagreement here.
msg117657 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2010-09-29 21:15
Yes, the new text is fine.
History
Date User Action Args
2010-09-29 21:15:37loewissetmessages: + msg117657
2010-09-29 20:40:18pitrousetmessages: + msg117651
2010-09-29 20:31:09asdfasdfasdfasdfasdfasdfasdfsetmessages: + msg117650
2010-09-29 20:26:30loewissetnosy: + loewis
messages: + msg117649
2010-09-29 18:27:37giampaolo.rodolasetnosy: + giampaolo.rodola
2010-09-29 14:32:08asdfasdfasdfasdfasdfasdfasdfsetmessages: + msg117611
2010-09-29 13:11:55pitrousetmessages: + msg117609
2010-09-29 13:07:18asdfasdfasdfasdfasdfasdfasdfsetmessages: + msg117608
2010-09-29 11:42:32pitrousetstatus: open -> closed
resolution: fixed
stage: resolved
2010-09-29 11:41:39asdfasdfasdfasdfasdfasdfasdfsetstatus: closed -> open
resolution: fixed -> (no value)
messages: + msg117604
2010-09-29 11:32:45pitroulinkissue9984 superseder
2010-09-29 11:32:10pitrousetstatus: open -> closed
resolution: fixed
messages: + msg117603
2010-09-29 11:22:43pitrousetmessages: + msg117602
2010-09-29 11:16:52asdfasdfasdfasdfasdfasdfasdfsetmessages: + msg117600
2010-09-29 11:14:02asdfasdfasdfasdfasdfasdfasdfsetmessages: + msg117599
2010-09-29 11:13:36pitrousetnosy: + orsenthil

versions: + Python 3.1, Python 3.2
2010-09-29 11:12:56pitrousetnosy: + pitrou
messages: + msg117598
2010-09-29 11:12:08asdfasdfasdfasdfasdfasdfasdfsetmessages: + msg117597
2010-09-29 11:11:40asdfasdfasdfasdfasdfasdfasdfcreate