HTTPS certificates are not checked

[davidn]

The library uses python's httplib.HTTPSConnection to connect to the Dyn API endpoint. The python documentation notes "Warning: This does not do any verification of the server’s certificate."

Without certificate verification, if an attacker is able to intercept the traffic she can read or even alter the communications.

It does not seem that httplib provides a way to do this verification. Some people have produced a HTTPSConnection wrapper to do validation. Other people recommend using pycurl.

[medina]

How about using requests instead?

Yes, another dependency, but it solves a number of issues including this one.

[egon1024]

It's a good question. We tried very hard not to require any external libraries for this package. We might have to give in on that idea though.