7/14/2023 0 Comments Urllib get plain text![]() If you are using an older version that does not validate certificates by default, but you do trust the path between your client and the server, it should probably be OK was well. If you are using a newer version of Python it is secure and there is no need to worry. If you are using an older version of Python that does not validate SSL certificates by default, and you ALSO have a reason to not trust your ISP or any network between your client and the server, you should be worried. However, without validating the certificate you are vulnerable to man in the middle attacks if anyone in the network between your client and the web server is able to intercept your connection or by other means redirect your connection to a rogue server which can read the contents of your request (including any passwords), and pass it on to the real destination so you won't notice any thing. Even if someone like your ISP would try to dump the transmitted data, it would not be readable. If your connection ended up in the intended destination at the web server you wanted to reach, the connection is still securely encrypted (unless both the client and the server allows insecure protocols/ciphers). Not validating a certificate doesn't necessarily mean that your data is unsafe. This is why you read that ssl.create_default_context() is recommended since it would configure older versions of Python to do certificate validation and set a recommended set of ciphers. If anyone has full control over the network connection between your client and the server they might be intercepting and reading everything that is being transmitted. However, a badly configured client (like older versions of Python) that don't do HTTPS certificate validation can lead to security problems. A modern server would refuse insecure connections, and a modern client would also refuse insecure connections. HTTP should no longer be used for transmitting sensitive information.Īny request over HTTPS is today normally secure when using modern software and standard configuration.
0 Comments
Leave a Reply. |