What are the implications of ignoring SSL certificate verification?

Question

I have a question regarding SSL verification within the requests library for Python, but I believe it to me more general than that.

I am currently ignoring certificate verification because the third party API I need to connect to is using a self-signed certificate.

What are the implications for turning SSL verification off in requests? And what are the implications for not verifying SSL certificates in the real-world. Can I gaurantee the data transported is secure/encrypted?

Answer 1

This is a security sin, as anyone could spoof this certificate and intercept your traffic. You should just add the self-signed certificate to the trusted certificate chain of the machine which is using the API. How you do that depends on the operating system and specific setup, but a quick google will guide you to the right solution.

Answer 2

Can I gaurantee the data transported is secure/encrypted?

The data is encrypted (this is TLS confidentiality guarantee) but since you did not authenticate the remote part (if you disable certificate validation or bypass all errors) you could be as well sending the encrypted content to anyone, including an attacker, which of course on his side will read it in plain, as the TLS handshake succeeded if you do not validate the remote party.

TLS provides multiple features, two major ones being authentication and confidentiality. They are orthogonal (you can have one without the other) but it may not be so useful to not have all of them.

Contrary to natural thinking, authentication is more important than confidentiality because if you have no insurance about who is the remote party, what do you gain by sending it encrypted? Nothing.