[Python-Dev] PEP 476: Enabling certificate validation by default! (original) (raw)

Nick Coghlan ncoghlan at gmail.com
Sun Aug 31 23:41:21 CEST 2014

On 1 Sep 2014 06:32, "Paul Moore" <p.f.moore at gmail.com> wrote:

On 31 August 2014 21:15, Antoine Pitrou <antoine at python.org> wrote: > What do you call your local cert store? I was referring to Christian's comment > It's very simple to trust a self-signed certificate: just download it and stuff it into the trust store. From his recent response, I guess he meant the system store, and he agrees that this is a bad option. OK, that's fair, but: a) Is there really no OS-level personal trust store? I'm thinking of Windows here for my own personal use, but the same question applies elsewhere. b) I doubt my confusion over Christian's response is atypical. Based on what he said, if we hadn't had the subsequent discussion, I would probably have found a way to add a cert to "the store" without understanding the implications. While it's not Python's job to educate users, it would be a shame if its default behaviour led people to make ill-informed decisions.

Right, this is why I came to the conclusion we need to follow the browser vendors lead here and support a per-user Python specific supplementary certificate cache before we can start validating certs by default at the Python level. There are still too many failure modes for cert management on private networks for us to safely ignore the use case of needing to force connections to services with invalid certs.

We don't need to solve that problem here today - we can push it back to Alex (and anyone else interested) as a building block to investigate providing as part of cryptography.io or certi.fi, with a view to making a standard library version of that (along with any SSL module updates) part of PEP 476.

In the meantime, we can update the security considerations for the ssl module to make it clearer that the defaults are set up for trusted networks and that using it safely on the public internet may mean you're better off with a third party library like requests or Twisted. (I'll start another thread shortly that is highly relevant to that topic)

Regards, Nick.

Maybe an SSL HOWTO would be a useful addition to the docs, if anyone feels motivated to write one. Regardless, thanks for the education! Paul

Python-Dev mailing list Python-Dev at python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/ncoghlan%40gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20140901/b0faf726/attachment-0001.html>

More information about the Python-Dev mailing list