Closed clefru closed 10 years ago
Hello clefru,
thanks for highlighting possible security issue. I checked ssl verification feature in requests
documentation, and verify
argument is True by default. Requests ships with the exact Certificate Authority Bundle that Mozilla’s Firefox ships with, and it is updated on a regular basis - cacert.pem
file in pypi package. We should be safe here, don't we?
Kamil
Oh that's great. I had the impression from the documentation that verify wasn't on per default.
I am not a big fan of PKI since I watched http://www.youtube.com/watch?v=Z7Wl2FW2TcA . The number of entities that can sign is just too big. I would personally prefer if we could just hardcode the bitstamp certificate since this is a bitstamp specific package. But since verify=True this I would say has much lower priority.
I don't think that hardcoded certificate is helpful, because Bitstamp's certificate is issued for one year period. It would be necessary to issue new version of Bitstamp client and upgrade it once a year which would annoy many users.
I'm aware that PKI is not perfect, but it's better than hardcoded certificates into library. If there is anyone who don't trust to certificates bundled with requests, he can use REQUESTS_CA_BUNDLE
environment variable and point i to file with downloaded Bitstamp certificates: http://docs.python-requests.org/en/latest/user/advanced/#ssl-cert-verification
I agree with you, hardcoding wouldn't make much sense with a 1 year cert. Thanks for looking into that! (... closing)
The bitstamp API authenticates but has no integrity check built in, thus relying on SSL to provide integrity. However with Python, and its default-cert-checking-off ( http://lwn.net/Articles/582065 ), the Python client is vulnerable to MMAs.
http://stackoverflow.com/questions/1087227/validate-ssl-certificates-with-python has some general hints but since you are using requests http://www.python-requests.org/en/latest/user/advanced/#ssl-cert-verification verify=True + a custom CA_BUNDLE containing just the Bitstamp cert seems like a good solution.