Python InsecureRequestWarning 的真正含义是什么? [英] What does the Python InsecureRequestWarning really mean?

问题描述

我收到警告:

/.../local/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:734: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
  InsecureRequestWarning)

我正在阅读文档.

如果我知道自己在做什么，我会看到很多关于如何禁用它的帖子，例如 这个.

I'm seeing lots of posts on how to disable it if I know what I'm doing, like this one.

但我仍然无法弄清楚错误的含义.我认为这意味着我缺少证书(因为它只发生在我的 VPS 上，而不发生在运行相同版本脚本的 Mac 上)，但是 我不明白为什么我需要证书来制作对第三方 API 的安全请求.

But I'm still having trouble figuring out what the error means. I gather that it means that I'm missing a certificate (because it only happens on my VPS, not on my Mac running the same version of a script), but I don't understand why I need a certificate to make a secure request to a third-party API.

一个有用的总结(或只是一个正确方向的点)将不胜感激，这样我就可以决定是否禁用它.我的直觉是我不应该禁用它，所以我想弄清楚如何正确解决这个问题.

A helpful summary (or just a point in the right direction) would be much appreciated so I can decide whether or not to disable it. My gut is that I shouldn't disable it, so I'd like to figure out how to address the problem properly.

推荐答案

我很高兴您没有简单地禁用警告.好问题，实际上！这里需要的是对信任链"的工作原理有基本的了解.这并不可惜，许多人对此并不了解.但是，作为开发人员应该了解基础知识！继续吧，也许阅读一下整个事情是如何运作的.

I am glad that you did not simply disable the warning. Great question, actually! What's required here is basic understanding of how the "chain of trust" is working. That is not a shame, many do not have knowledge about this. However, as a developer one should know the basics! Go ahead, and maybe read about how the whole thing works.

简而言之，TLS 旨在保证保密性、真实性和完整性.安全社区的常识是 (*):如果没有证书验证，您将无这三项，因为您很容易受到中间人攻击.也就是说，验证证书，或者您也可以停止使用 HTTPS.这就是警告的内容.

In short, TLS is meant to guarantee secrecy, authenticity, and integrity. Common sense in the security community is (*): without certificate verification you get NONE of these three items, because you are vulnerable to man in the middle attacks. That is, verify the certificate, or you might just as well stop using HTTPS. That is what the warning is about.

更多背景信息:此安全架构的一部分是远程主机声称拥有一个由信任链中更高级别的人签署的证书，因此-称为证书颁发机构 (CA).客户端需要验证该 CA 确实签署了有问题的证书.为了使此验证工作，客户端需要一个包含许多 CA 公钥的本地数据库(将它们视为信任锚"，其集合可以称为证书包").

A little more context: part of this security architecture is that the remote host claims to have a certificate signed by someone higher in the chain of trust, a so-called certificate authority (CA). The client needs to verify that this CA actually did sign that certificate in question. For this verification to work, the client needs a local database with the public keys of many CAs (think of these as "trust anchors", the collection of which can be called "certificate bundle").

我不明白为什么我需要证书才能提出安全请求到第三方 API

I don't understand why I need a certificate to make a secure request to a third-party API

请阅读其他地方的详细信息.但是，为了这个答案的完整性，这是一个高级抽象，应该澄清为什么需要一些外部信息源:

Please, read about the details elsewhere. But, for completeness of this answer, this is a high-level abstraction that should clarify why some external source of information is required:

• 您的客户不信任远程端.
• 因此，您的客户需要让第三方参与并询问远程端的可信度.
• 该第三方是您的许多 CA 公钥的本地数据库，即所谓的证书包".

您可以使用 requests 库代替urllib3，它默认执行证书验证(并提供自己的 CA 数据库).

You can use the requests library instead of urllib3, it performs certificate verification by default (and ships its own CA database).

(*) 未经验证的 HTTPS 连接可能比普通 HTTP更好"，但这需要根据具体情况进行评估.

(*) unverified HTTPS connections can be "better" than plain HTTP, but this needs to be evaluated on a case-to-case basis.

这篇关于Python InsecureRequestWarning 的真正含义是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！