This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author asdfasdfasdfasdfasdfasdfasdf
Recipients ahasenack, asdfasdfasdfasdfasdfasdfasdf, debatem1, devin, giampaolo.rodola, heikki, janssen, jsamuel, orsenthil, pitrou, vila
Date 2010-09-29.14:39:54
SpamBayes Score 1.5413541e-05
Marked as misclassified No
Message-id <1285771196.72.0.074694874619.issue1589@psf.upfronthosting.co.za>
In-reply-to
Content
Welcome to 2010.
SSL shouldn't be difficult to use anymore or support in python applications. But yet, until the changes in http://bugs.python.org/issue9983 was fixed python devs were using modules without any warning of the security implications. pycurl works ... but a *LOT* of coders are not using pycurl. 

Today they are still getting it wrong and are still vulnerable to mitm attacks against https on the client side.

I have an example in fairly large open source project:
bzr --> (by default due to a dependency failure ... on not depending on pycurl).  
https://bugs.edge.launchpad.net/ubuntu/+source/checkbox/+bug/625076


Less large:
libcloud http://github.com/apache/libcloud/issues/issue/2
linode-python http://github.com/tjfontaine/linode-python/issues/issue/1

I would *very* much like to see these methods fixed by default.
You can talk about how the ssl protocol is not secure because of ca's handling certificates poorly, but until you *actually* perform proper validation you cannot say these things imho. 

I can keep on looking at python projects and reporting these issues but it is really easy, just look at anything that says and is important that mitm isn't possible against it -> then check the deps. in ubuntu /debian and pick the ones that don't use pycurl, check they don't validate the common name etc. and then you have a bunch of mitm'able apps probably ;)
History
Date User Action Args
2010-09-29 14:39:56asdfasdfasdfasdfasdfasdfasdfsetrecipients: + asdfasdfasdfasdfasdfasdfasdf, janssen, orsenthil, pitrou, giampaolo.rodola, vila, heikki, ahasenack, debatem1, jsamuel, devin
2010-09-29 14:39:56asdfasdfasdfasdfasdfasdfasdfsetmessageid: <1285771196.72.0.074694874619.issue1589@psf.upfronthosting.co.za>
2010-09-29 14:39:55asdfasdfasdfasdfasdfasdfasdflinkissue1589 messages
2010-09-29 14:39:54asdfasdfasdfasdfasdfasdfasdfcreate