search

krmaxwell / maltrieve

A tool to retrieve malware directly from the source for security researchers.
GNU General Public License v3.0
562 stars 184 forks source link

Warning on HTTPS connections #143

Open krmaxwell opened 9 years ago

krmaxwell commented 9 years ago 
/home/kmaxwell/src/maltrieve/venv/local/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:79: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
krmaxwell commented 9 years ago

So my inclination is that we should require valid certificates from the list sources (e.g. ZeusTracker) but not from the served samples themselves (because we expect badness there). Thoughts?

krmaxwell commented 9 years ago

Based on https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning , it looks like the real fix is to upgrade to v2.7.9 or greater.

krmaxwell commented 9 years ago

Orrrr to install the security extras.

webstergd commented 9 years ago

I do not think Ubuntu LTE has upgraded to that version yet on the standard install. I think it is a nice to have with the source list. It really shouldn't matter when downloading the samples as it is already malicious. People should also be using a Proxy.

On Tue, May 26, 2015 at 5:27 PM, Kyle Maxwell notifications@github.com wrote:

Orrrr to install the security extras http://stackoverflow.com/a/29202163/1569808.

— Reply to this email directly or view it on GitHub https://github.com/krmaxwell/maltrieve/issues/143#issuecomment-105567737 .

krmaxwell commented 9 years ago

For me, this is as much about the UX as anything else. All those warnings clutter up the display. Also, assuming that you're using pip install -r requirements.txt then we should be able to do everything via PyPI.

webstergd commented 9 years ago

fully agree. That warning is an annoying one for sure.

On Tue, May 26, 2015 at 9:36 PM, Kyle Maxwell notifications@github.com wrote:

For me, this is as much about the UX as anything else. All those warnings clutter up the display. Also, assuming that you're using pip install -r requirements.txt then we should be able to do everything via PyPI.

— Reply to this email directly or view it on GitHub https://github.com/krmaxwell/maltrieve/issues/143#issuecomment-105643486 .

jrespeto commented 9 years ago

I was getting security errors also did this to fix it.

apt-get install libffi-dev openssl-dev pip install requests[security]