Skip to content

Use requests instead urllib #15

@miki725

Description

@miki725

Random numbers are pretty important in cryptography! I am currently looking for a good entropy source for a project I am working on and came across your lib. Seems very nice however I noticed that you are using urllib's urlopen to make API requests to get the entropy.

Maybe you will be willing to switch to use requests since urllib's urlopen does not validate server SSL certificates which I think is a potential security risk if a security conscious project needs to use this lib for better randomness entropy source. Here is a quote from docs:

urllib2.urlopen(url[, data][, timeout])
Open the URL url, which can be either a string or a Request object.
Warning HTTPS requests do not do any verification of the server’s certificate.

And here are the requests docs where they clearly have the capability to check server certificate validity:

Requests can verify SSL certificates for HTTPS requests, just like a web browser. To check a host’s SSL certificate, you can use the verify argument:

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions