Prev: Newbie question regarding SSL and certificate verification
Next: Performance ordered dictionary vs normal dictionary
From: Christian Heimes on 29 Jul 2010 11:03 > I know very little about security, but one thing I think I know. Never > use security software version 1.0 or greater. It was written by an > author insufficiently paranoid. OpenSSL 1.0.0a was released about a month ago. ;)
From: John Nagle on 29 Jul 2010 12:08 On 7/28/2010 10:23 PM, geremy condra wrote: > On Wed, Jul 28, 2010 at 10:08 PM, John Nagle<nagle(a)animats.com> wrote: >> On 7/28/2010 6:26 PM, geremy condra wrote: >>> >>> On Wed, Jul 28, 2010 at 4:41 PM, Jeffrey >>> Gaynor<jgaynor(a)ncsa.uiuc.edu> wrote: > >> The new Python SSL module in 2.6 and later has a huge built-in >> security hole - it doesn't verify the domain against the >> certificate. As someone else put it, this means "you get to >> talk securely with your attacker." As long as the site or proxy >> has some valid SSL cert, any valid SSL cert copied from anywhere, >> the new Python SSL module will tell you everything is just fine. >> >> John Nagle > > Did anything ever come of the discussion that you and Antoine had? > > Geremy Condra > > PS- the quote is due to Justin Samuel I had to write my own domain check. Did anyone re-open the bug report on that issue? John Nagle
From: Antoine Pitrou on 29 Jul 2010 12:13 On Wed, 28 Jul 2010 22:23:48 -0700 geremy condra <debatem1(a)gmail.com> wrote: > > > > The new Python SSL module in 2.6 and later has a huge built-in > > security hole - it doesn't verify the domain against the > > certificate. As someone else put it, this means "you get to > > talk securely with your attacker." As long as the site or proxy > > has some valid SSL cert, any valid SSL cert copied from anywhere, > > the new Python SSL module will tell you everything is just fine. > > > > John Nagle > > Did anything ever come of the discussion that you and Antoine had? As I wrote in http://bugs.python.org/issue1589, I would support adding the necessary function(s) to the SSL module, and have urllib (and other stdlib modules) support them. Someone needs to write a patch, though. Regards Antoine.
From: geremy condra on 29 Jul 2010 17:22 On Thu, Jul 29, 2010 at 9:13 AM, Antoine Pitrou <solipsis(a)pitrou.net> wrote: > On Wed, 28 Jul 2010 22:23:48 -0700 > geremy condra <debatem1(a)gmail.com> wrote: >> > >> > The new Python SSL module in 2.6 and later has a huge built-in >> > security hole - it doesn't verify the domain against the >> > certificate. As someone else put it, this means "you get to >> > talk securely with your attacker." As long as the site or proxy >> > has some valid SSL cert, any valid SSL cert copied from anywhere, >> > the new Python SSL module will tell you everything is just fine. >> > >> > John Nagle >> >> Did anything ever come of the discussion that you and Antoine had? > > As I wrote in http://bugs.python.org/issue1589, I would support adding > the necessary function(s) to the SSL module, and have urllib (and other > stdlib modules) support them. Someone needs to write a patch, though. > > Regards > > Antoine. Hmm, my understanding at the time was that there had been a decision to just adapt Heikki Toivonen's M2Crypto code, if that's just looking for someone to turn it into a patch I'll see if I can't find the time next week. Geremy Condra
From: Gregory Ewing on 30 Jul 2010 04:04 David Robinow wrote: > Never > use security software version 1.0 or greater. It was written by an > author insufficiently paranoid. Hmmm. So to get people to trust your security software, you should start with version 0.0 and increment by 0.0000001 for each release. :-) -- Greg
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 Prev: Newbie question regarding SSL and certificate verification Next: Performance ordered dictionary vs normal dictionary |