[RFC] Default to urllib http implementation.

Toshio Kuratomi a.badger at gmail.com
Tue May 19 07:37:04 BST 2009 

On 05/18/2009 09:21 PM, Colin D Bennett wrote:
> Andrew Cowie wrote on Monday 18 May 2009:
>> On Mon, 2009-05-18 at 19:47 -0700, Colin D Bennett wrote:
>>> I don't understand.  Any SSL connection should prevent man-in-the-middle
>>> attacks, right?
>> No, because
>>
>>> I would *not* want to turn off the host certificate check; that defeats
>>> the point of using a secure connection in the first place.  I would want
>>> to instead *trust* the server certificate.
>> is what prevents the man-in-the-middle attack.
>>
>> [ie, you had it right]
>>
>> SSL provides confidentiality between endpoints. You have to go further
>> to establish the endpoint you are talking to is who you think it is.
>> That part has ever been the cumbersome part of asymmetric cryptography
>> and public key infrastructure.
>
> I understand PKI fairly well.  My point is that you just have to get the
> actual server certificate once, trust it, and then you are guaranteed that
> there is no man in the middle from that point forward.  Obviously you must
> obtain the server certificate through a trusted communication channel (in
> person on physical media such as a USB flash drive, via secure e-mail, from a
> secure web page, or verifying the key's signature over the phone).
>
> For instance, I encountered the pycurl SSL problem for a university project.
> We had a Subversion server with SSL and a self-signed certificate.  I had to
> use bzr with urllib because I could not mark the certificate as trusted with
> pycurl, even though I had physical access to the server and could obtain the
> key in a secure manner.
>
This is done at a higher level than pycurl.  You can tell pycurl to use 
a different set of known certificates than the default.  But the library 
doesn't encode a per-user file or directory that it looks in for other 
certificates.  It's up to the application to create this infrastructure 
if it wants it.  In this case, bzr doesn't provide a way to access this 
feature of pycurl.

Unless my knowledge is outdated, when you use urllib you have the 
opposite problem.  Without writing additional code you do not get any 
verification of the server's certificate actually being for the machine 
you're talking to.  So you are vulnerable to another host sitting in the 
middle and pretending to be that machine.  Since urllib isn't verifying 
the validity of the certificate, there's no assurance that the server is 
who they claim to be.

-Toshio

More information about the bazaar mailing list