#1422 new defect

https node.url is not verified by httplib

Reported by: ChosenOne Owned by: nobody
Priority: major Milestone: undecided
Component: code-frontend-cli Version: 1.8.2
Keywords: https security integrity confidentiality Cc:
Launchpad Bug:


Tahoe currently uses httplib for CLI commands. If node.url points to a https resource we will happily perform a https request. The issue is that httplib does not verify server certificates. Using a remote node.url with https wouldn't be as secure as people would expect (cf. man-in-the-middle, ssltrip, etc.).

Change History (1)

comment:1 Changed at 2011-06-23T17:13:59Z by davidsarah

  • Component changed from unknown to code-frontend-cli
  • Keywords security integrity confidentiality added; verify removed
  • Priority changed from minor to major
Note: See TracTickets for help on using tickets.