Message 117613 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	asdfasdfasdfasdfasdfasdfasdf
Recipients	ahasenack, asdfasdfasdfasdfasdfasdfasdf, debatem1, devin, giampaolo.rodola, heikki, janssen, jsamuel, orsenthil, pitrou, vila
Date	2010-09-29.14:39:54
SpamBayes Score	1.5413541e-05
Marked as misclassified	No
Message-id	<1285771196.72.0.074694874619.issue1589@psf.upfronthosting.co.za>
In-reply-to

Content
Welcome to 2010. SSL shouldn't be difficult to use anymore or support in python applications. But yet, until the changes in http://bugs.python.org/issue9983 was fixed python devs were using modules without any warning of the security implications. pycurl works ... but a LOT of coders are not using pycurl. Today they are still getting it wrong and are still vulnerable to mitm attacks against https on the client side. I have an example in fairly large open source project: bzr --> (by default due to a dependency failure ... on not depending on pycurl). https://bugs.edge.launchpad.net/ubuntu/+source/checkbox/+bug/625076 Less large: libcloud http://github.com/apache/libcloud/issues/issue/2 linode-python http://github.com/tjfontaine/linode-python/issues/issue/1 I would very much like to see these methods fixed by default. You can talk about how the ssl protocol is not secure because of ca's handling certificates poorly, but until you actually perform proper validation you cannot say these things imho. I can keep on looking at python projects and reporting these issues but it is really easy, just look at anything that says and is important that mitm isn't possible against it -> then check the deps. in ubuntu /debian and pick the ones that don't use pycurl, check they don't validate the common name etc. and then you have a bunch of mitm'able apps probably ;)

Welcome to 2010.
SSL shouldn't be difficult to use anymore or support in python applications. But yet, until the changes in http://bugs.python.org/issue9983 was fixed python devs were using modules without any warning of the security implications. pycurl works ... but a *LOT* of coders are not using pycurl. 

Today they are still getting it wrong and are still vulnerable to mitm attacks against https on the client side.

I have an example in fairly large open source project:
bzr --> (by default due to a dependency failure ... on not depending on pycurl).  
https://bugs.edge.launchpad.net/ubuntu/+source/checkbox/+bug/625076


Less large:
libcloud http://github.com/apache/libcloud/issues/issue/2
linode-python http://github.com/tjfontaine/linode-python/issues/issue/1

I would *very* much like to see these methods fixed by default.
You can talk about how the ssl protocol is not secure because of ca's handling certificates poorly, but until you *actually* perform proper validation you cannot say these things imho. 

I can keep on looking at python projects and reporting these issues but it is really easy, just look at anything that says and is important that mitm isn't possible against it -> then check the deps. in ubuntu /debian and pick the ones that don't use pycurl, check they don't validate the common name etc. and then you have a bunch of mitm'able apps probably ;)

History
Date	User	Action	Args
2010-09-29 14:39:56	asdfasdfasdfasdfasdfasdfasdf	set	recipients: + asdfasdfasdfasdfasdfasdfasdf, janssen, orsenthil, pitrou, giampaolo.rodola, vila, heikki, ahasenack, debatem1, jsamuel, devin
2010-09-29 14:39:56	asdfasdfasdfasdfasdfasdfasdf	set	messageid: <1285771196.72.0.074694874619.issue1589@psf.upfronthosting.co.za>
2010-09-29 14:39:55	asdfasdfasdfasdfasdfasdfasdf	link	issue1589 messages
2010-09-29 14:39:54	asdfasdfasdfasdfasdfasdfasdf	create