0

I want to know if the following Python code is vulnerable to end-to-end eavesdropping attacks when the url points to a https:// site but this one does not support SSL encryption.

Why I'm in doubt? because Mechanize internally uses urllib2 but HTTPS requests do not do any verification of the server’s certificate in urllib2

Plus I do not know how to verify if we are actually using a https or http connection with Urllib2/Mechanize. AFAIK Mechanize behaves as a browser, so I don't know if it fallback to http when SSL is not supported by server, or if it performs an insecure https implementation.

How can I check if I'm getting out of Tor circuit unencrypted?

The code:

import socks
import socket
def create_connection(address, timeout=None, source_address=None):
    sock = socks.socksocket()
    sock.connect(address)
    return sock

socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS5, "127.0.0.1", 9050)

# patch the socket module
socket.socket = socks.socksocket
socket.create_connection = create_connection

import urllib2

print "urllib2.urlopen(): ",urllib2.urlopen('https://icanhazip.com').read()

import mechanize
from mechanize import Browser

br = Browser()
print "Mechanize Browser.open(): ", br.open('https://icanhazip.com').read()


print "Mechanize Browser.open(): ", br.open('https://check.torproject.org/').read()
Fallouturama
  • 109
  • 1
  • 1
  • 9
  • you can [add validation of server's ssl certificate to `urllib2`](https://gist.github.com/zed/1347055). Though it won't help if the site redirects from `https` to http`. To find out whether http is used on your end, you could install custom `HTTPHandler()`. – jfs Feb 23 '14 at 01:35
  • I think is a good answer @J.F. Sebastian, perhaps a safe solution is to patch `urllib2` with a dummy `HTTPHandler()`. is this correct? Any orientation on how to code it will be appreciated. By now im failing with it. – Fallouturama Feb 23 '14 at 03:58
  • look at the docs for `urllib2.build_opener()`, `urllib2.install_opener()`. The gist provides an example on how custom `HTTPSHandler()` could be created. You could subclass HTTPHandler and raise `URLError` unconditionally in the overridden `do_open()` method. – jfs Feb 23 '14 at 04:26
  • Great, I've managed to patch, install and get a working `urllib2.HTTPHandler` but `mechanize` is not affected by this changes. I presumed the answer was to use `mechanize.install_opener()` but `mechanize.Browser()` is using other handles. [Read this](http://wwwsearch.sourceforge.net/mechanize/hints.html#handlers). How can I globally ensure `mechanize` to use my patched handle? – Fallouturama Feb 23 '14 at 05:20
  • **Regarding security**, is safe enough to patch `HTTPHandler` or patching `HTTPConection` is safest? – Fallouturama Feb 23 '14 at 05:28

0 Answers0