Vulnerable to man-in-the-middle attacks when not using pycurl

[kilink]

HTTPS requests made by this package are vulnerable to MITM attacks when the user does not have pycurl installed, because urllib2 does not verify SSL certificates.

While openid.fetchers also has a fetcher for httplib2, unless explicitly registered it will not be chosen as the default fetcher.

At the very least I feel that this should be documented somewhere, but in my opinion the package should simply add a dependency on a library such as Requests that does SSL verification, and avoid the shenanigans of trying to import various other third-party libraries with fallbacks. If this is not feasible, then the httplib2 should at least be prioritized above urllib2, and perhaps a Requests fetcher should be added as the preferred fetcher.

[timcappalli]

This repo is being archived. Closing issue.