Comment 10 for bug 1188189
Revision history for this message
| Thierry Carrez (ttx) wrote Re: Potentially insecure use of httplib.HTTPSConnection | #10 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
So all the occurences seem to be for serverside node-to-node communication that could be assumed to happen on private networks. That said, all those "use_ssl" give a false sense of security (about the same as communicating unencrypted). The inability to specify a ca_file should serve as a hint that it's not really safe, but that subtlety may be lost on most.
I'm not 100% certain to classify this as an exploitable vulnerability that warrants embargoed disclosure -- we could consider this as missing proper internal encryption features between internal nodes and remind people (through OSSN) to deploy over secure private management networks (as Swift already does). The only thing which makes this a potential vulnerability is that the "use_ssl" parameters where available may induce people into thinking they are safe while they are not...
Thoughts ?