Use requests instead urllib

[miki725]

Random numbers are pretty important in cryptography! I am currently looking for a good entropy source for a project I am working on and came across your lib. Seems very nice however I noticed that you are using urllib's urlopen to make API requests to get the entropy.

Maybe you will be willing to switch to use requests since urllib's urlopen does not validate server SSL certificates which I think is a potential security risk if a security conscious project needs to use this lib for better randomness entropy source. Here is a quote from docs:

urllib2.urlopen(url[, data][, timeout])
Open the URL url, which can be either a string or a Request object.
Warning HTTPS requests do not do any verification of the server’s certificate.

And here are the requests docs where they clearly have the capability to check server certificate validity:

Requests can verify SSL certificates for HTTPS requests, just like a web browser. To check a host’s SSL certificate, you can use the verify argument:

[pypingou]

One problem with requests is the fact that it bundles a lot of code making it very vulnerable to security bug in other libraries.

Upstream has been asked several time about giving the possibility to unbundle the library it uses, requests that have been denied every time.

[miki725]

what do you mean it bundles a lot of code? requests is a single library.

even if it bundles a lot of code, it is still more secure than using urllib because urllib already has security problem of not verifying SSL certs whereas requests is vulnerable.

[pypingou]

The whole discussion about requests is at https://github.com/kennethreitz/requests/pull/1812

[miki725]

@pypingou what would recommend then?

[pypingou]

@miki725 to be honest, I don't have a good solution, you are right that requests is more secure as it checks the certificate, so I guess it's a good idea to switch to it, one just have to be aware of requests' limitations.

[lmacken]

I'm definitely open to merging a pull request that migrates from urllib->requests.

@pypingou's points are valid, and it is a concern, however distros like Fedora unbundle python-requests. But since quantumrandom isn't properly packaged anywhere, as far as I know, that doesn't really help :\

[miki725]

@lmacken thanks. I might try to do one this weekend. Will send PR when ready.

[pypingou]

Running into a similar situation elsewhere, I found http://stackoverflow.com/questions/1087227/validate-ssl-certificates-with-python which gives some options for this question. Apparently pycurl might also be one as well as this library back-porting code from py3 https://pypi.python.org/pypi/backports.ssl_match_hostname/

[pypingou]

https://git.fedorahosted.org/cgit/mod_nss.git/plain/test/test_request.py might be interesting as well