suspicious-unverified-context-usage (S323)

Derived from the flake8-bandit linter.

What it does

Checks for uses of ssl._create_unverified_context.

Why is this bad?

PEP 476 enabled certificate and hostname validation by default in Python standard library HTTP clients. Previously, Python did not validate certificates by default, which could allow an attacker to perform a "man in the middle" attack by intercepting and modifying traffic between client and server.

To support legacy environments, ssl._create_unverified_context reverts to the previous behavior that does perform verification. Otherwise, use ssl.create_default_context to create a secure context.

Example

import ssl

context = ssl._create_unverified_context()

Use instead:

import ssl

context = ssl.create_default_context()

References

• PEP 476 – Enabling certificate verification by default for stdlib http clients: Opting out
• Python documentation: ssl — TLS/SSL wrapper for socket objects