[Python-Dev] Enable Hostname and Certificate Chain Validation (original) (raw)

Donald Stufft donald at stufft.io
Wed Jan 22 12:29:47 CET 2014

On Jan 22, 2014, at 6:21 AM, Paul Moore <p.f.moore at gmail.com> wrote:

On 22 January 2014 10:30, Donald Stufft <donald at stufft.io> wrote:

Python 3.4 has made great strides in making it easier for applications to simply turn on these settings, however many people are not aware at all that they need to opt into this. Most assume that it will operate similarly to their browser, curl, wget, etc and validate by default and in the typical style of security related issues it will appear to work just fine however be grossly insecure. Two things: 1. To be "like the browser" we'd need to use the OS certificate store, which isn't the case on Windows at the moment (managing those certificate bundle files is most definitely not "like the browser" - I'd have no idea how to add a self-certificate to the bundle file embedded in pip, for example).

Python 3.4 added the ability to use the OS cert store on Windows, see http://bugs.python.org/issue17134.

2. Your proposal is that because some application authors have not opted in yet, we should penalise the end users of those applications by stopping them being able to use unverified https? And don't forget, applications that haven't opted in will have no switch to allow unverified use. That seems to be punishing the wrong people.

Some applications will need to be updated yes to provide such a switch but the alternative is that every user of this API needs to configure it to verify certificates. The difference is that with my proposal the error condition is very obvious, the SSL certificate will fail to validate, a bug can be filed and it can be fixed. With the current behavior they only way you’d know is if you expected it to fail and didn’t, or you went specifically looking.

It’s a dangerous by default API that punishes people for not knowing that they need to turn it on, and punishes people who use those applications. However it won’t punish them directly, instead it’ll just make it possible to MITM their connection, possibly leaking sensitive material.

Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://mail.python.org/pipermail/python-dev/attachments/20140122/37696229/attachment.sig>

More information about the Python-Dev mailing list