[Python-Dev] Enable Hostname and Certificate Chain Validation (original) (raw)
Paul Moore p.f.moore at gmail.com
Wed Jan 22 12:21:27 CET 2014
- Previous message: [Python-Dev] Enable Hostname and Certificate Chain Validation
- Next message: [Python-Dev] Enable Hostname and Certificate Chain Validation
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 22 January 2014 10:30, Donald Stufft <donald at stufft.io> wrote:
Python 3.4 has made great strides in making it easier for applications to simply turn on these settings, however many people are not aware at all that they need to opt into this. Most assume that it will operate similarly to their browser, curl, wget, etc and validate by default and in the typical style of security related issues it will appear to work just fine however be grossly insecure.
Two things:
- To be "like the browser" we'd need to use the OS certificate store, which isn't the case on Windows at the moment (managing those certificate bundle files is most definitely not "like the browser" - I'd have no idea how to add a self-certificate to the bundle file embedded in pip, for example).
- Your proposal is that because some application authors have not opted in yet, we should penalise the end users of those applications by stopping them being able to use unverified https? And don't forget, applications that haven't opted in will have no switch to allow unverified use. That seems to be punishing the wrong people.
Paul
- Previous message: [Python-Dev] Enable Hostname and Certificate Chain Validation
- Next message: [Python-Dev] Enable Hostname and Certificate Chain Validation
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]