incubator-libcloud mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jed Smith (JIRA)" <j...@apache.org>
Subject [libcloud] [jira] Closed: (LIBCLOUD-55) this python project is vulnerable to MITM as it fails to verify the ssl validity of the remote destination.
Date Wed, 29 Sep 2010 16:10:33 GMT

     [ https://issues.apache.org/jira/browse/LIBCLOUD-55?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jed Smith closed LIBCLOUD-55.
-----------------------------

    Resolution: Won't Fix

Warnings introduced in r1002708.

Thank you for taking the time to file a libcloud bug report; however, the root issue here,
as you are aware, is in Python itself. As such, I have added warnings to the README and code
for our project to link to upstream: http://bugs.python.org/issue1589

Once the root cause in Python is addressed, all clients of the Python standard library will
subsequently be fixed as well with no intervention on our part.

Once again, thank you for helping to make libcloud a better project.

> this python project is vulnerable to MITM as it fails to verify the ssl validity of the
remote destination.
> -----------------------------------------------------------------------------------------------------------
>
>                 Key: LIBCLOUD-55
>                 URL: https://issues.apache.org/jira/browse/LIBCLOUD-55
>             Project: Libcloud
>          Issue Type: Bug
>          Components: Core
>            Reporter: dave b ^^
>   Original Estimate: 0.5h
>  Remaining Estimate: 0.5h
>
> this python project is vulnerable to MITM as it fails to verify the ssl validity of the
remote destination.
> urllib / urllib2, httplib.SHTTPConnection do not verify ssl at all by default.
> from base.py
> class ConnectionKey(object):
> """ A Base Connection class to derive from.
> """ conn_classes = (httplib.HTTPConnection, httplib.HTTPSConnection)
> .... def connect(self, host=None, port=None):
> ..... connection = self.conn_classesself.secure
> this request can be MITMed leading to the compromise of a users API key - where a secured
https connection was requested, but can be MITM'ed.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message