3

I have a question regarding SSL verification within the requests library for Python, but I believe it to me more general than that.

I am currently ignoring certificate verification because the third party API I need to connect to is using a self-signed certificate.

What are the implications for turning SSL verification off in requests? And what are the implications for not verifying SSL certificates in the real-world. Can I gaurantee the data transported is secure/encrypted?

Micheal J. Roberts
  • 3,735
  • 4
  • 37
  • 76

2 Answers2

5

This is a security sin, as anyone could spoof this certificate and intercept your traffic. You should just add the self-signed certificate to the trusted certificate chain of the machine which is using the API. How you do that depends on the operating system and specific setup, but a quick google will guide you to the right solution.

Borisu
  • 828
  • 7
  • 15
  • Thanks Borisu - so is it my certificate that is the issue? Or the API's? I seem to think it is the API's, which I have no control over? – Micheal J. Roberts Dec 12 '19 at 11:54
  • 1
    You have no issue at all, besides not checking the certificate. You'll have to download their self-signed certificate and add it to the trust store of your machine, something like this: https://access.redhat.com/documentation/en-us/red_hat_jboss_data_virtualization/6.2/html/security_guide/add_a_certificate_to_a_truststore_using_keytool – Borisu Dec 12 '19 at 11:57
  • I am in discussions with the API in question - would it be better if I asked for a Domain Level cert at the very minimum? – Micheal J. Roberts Dec 12 '19 at 11:58
  • Also, these guys (not the API in question) think that self-signed certificates are ok: https://observersupport.viavisolutions.com/html_doc/current/index.html#page/rest_api/self_signed_certificate.html – Micheal J. Roberts Dec 12 '19 at 12:02
  • But I am more inclined to believe this: https://www.techrepublic.com/article/when-are-self-signed-certificates-acceptable-for-businesses/ – Micheal J. Roberts Dec 12 '19 at 12:04
  • 1
    Depends how much you trust them, that's why it's a trust chain. If you think they are honest there is no problem in trusting their certificate. If they are willing to use an authority to sign it for them would of course be better. Not to mention that free services like certbot exist, which are trusted by all. – Borisu Dec 12 '19 at 12:21
  • So I am confused - I do trust them. But should I still impose SSL verification? – Micheal J. Roberts Dec 12 '19 at 12:22
  • Is this API GDPR compliant without it? – Micheal J. Roberts Dec 12 '19 at 12:29
  • You should impose verification, BUT after you install their certificate on your machine. Installing it means to add it to your certificate trust chain (check the article I posted for instructions). I'm not familiar with any GDPR provisions about SSL, but you should read up on the GDPR website about that. – Borisu Dec 12 '19 at 14:07
2

Can I gaurantee the data transported is secure/encrypted?

The data is encrypted (this is TLS confidentiality guarantee) but since you did not authenticate the remote part (if you disable certificate validation or bypass all errors) you could be as well sending the encrypted content to anyone, including an attacker, which of course on his side will read it in plain, as the TLS handshake succeeded if you do not validate the remote party.

TLS provides multiple features, two major ones being authentication and confidentiality. They are orthogonal (you can have one without the other) but it may not be so useful to not have all of them.

Contrary to natural thinking, authentication is more important than confidentiality because if you have no insurance about who is the remote party, what do you gain by sending it encrypted? Nothing.

Patrick Mevzek
  • 10,995
  • 16
  • 38
  • 54