On 7/28/2010 10:23 PM, geremy condra wrote:
On Wed, Jul 28, 2010 at 10:08 PM, John Nagle<na...@animats.com> wrote:
On 7/28/2010 6:26 PM, geremy condra wrote:
On Wed, Jul 28, 2010 at 4:41 PM, Jeffrey
Gaynor<jgay...@ncsa.uiuc.edu> wrote:
The new Python SSL module in 2.6 and later has a huge built-in
security hole - it doesn't verify the domain against the
certificate. As someone else put it, this means "you get to
talk securely with your attacker." As long as the site or proxy
has some valid SSL cert, any valid SSL cert copied from anywhere,
the new Python SSL module will tell you everything is just fine.
John Nagle
Did anything ever come of the discussion that you and Antoine had?
Geremy Condra
PS- the quote is due to Justin Samuel
I had to write my own domain check. Did anyone re-open the
bug report on that issue?
John Nagle
--
http://mail.python.org/mailman/listinfo/python-list
