The old Python standard library did not validate server certificates with https. Therefore, if you want to use https properly, it has always been recommended to use requests, which you want to use rather than the standard library. [^ 1]
For a few years now, the importance of https has been screaming, and it's a shame that the standard library doesn't validate by default, so starting with Python 3.5, it's validated using the system's default CA certificate. .. (PEP 476)
This new feature is so important to security that it was backported to versions prior to 3.5. Specifically, 2.7.9 and 3.4.3.
If you're using a later version of Python, you should be validating your server's certificate even if you're using the standard library urllib. If you want to prioritize reducing dependencies over the benefits provided by urllib3 / requests such as connection pools, make sure your Python version is later.
[^ 1]: requests bundles and distributes cacerts.pem created from Mozilla's CA List. (See also: certifi) If the CA List is updated due to the addition of a CA or something that some CA has done, bundle the requests. Make sure that it is reflected in what you have and update it.
Recommended Posts