[Python-Dev] Enable Hostname and Certificate Chain Validation (original) (raw)

M.-A. Lemburg mal at egenix.com
Wed Jan 22 12:53:14 CET 2014

• Previous message: [Python-Dev] Enable Hostname and Certificate Chain Validation
• Next message: [Python-Dev] Enable Hostname and Certificate Chain Validation
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 22.01.2014 12:36, Donald Stufft wrote:

On Jan 22, 2014, at 6:30 AM, M.-A. Lemburg <mal at egenix.com> wrote: The change would also disable all services using self-signed certificates which are very common in internal networks and for ad-hoc setups. Many routers and other devices use self-signed certificates when offering HTTPS services. It will just disable them by default, they can still easily be accessed you’d just need to pass the “do not verify” flag. This clearly indicates that you’re opting out of the S in HTTPS.

I think overall, it's good to have default security, but locking out all certificates which do not have their root CA certs installed in default installations of systems per default would likely lead to people seeking other more insecure ways of getting things to work, rather than asking their admins to add their CA certs to the certificate chain configuration. So I'm not sure whether raising errors is the best way to achieve better default security. Perhaps just using warnings would be better. Again it’s not “locking out”, it’s simply “requires explicitly saying I want to not validate”.

This would have to configurable without changing application code, e.g. using an environment settings.

Otherwise, you do lock out existing scripts and applications from using Python 3.6 by requiring supporting custom configurations from all of them.

Simply saying: oh, just change your code to never validate is not a good solution either.

It’s hard to be more insecure than not verifying. Just about the only other way is to use plaintext but the only real difference there is passive vs attack attacks. However typically if you’re in the situation to do a passive attack you can also do an active attack. So “more insecure” is minorly more insecure while an error is drastically more secure.

I disagree with that statement. Using HTTPS without verification is still far more secure than using plain text.

I know that verification is a lot better, but please remember that practicality beats purity.

-- Marc-Andre Lemburg eGenix.com

Professional Python Services directly from the Source (#1, Jan 22 2014)

Python Projects, Consulting and Support ... http://www.egenix.com/ mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/

• Previous message: [Python-Dev] Enable Hostname and Certificate Chain Validation
• Next message: [Python-Dev] Enable Hostname and Certificate Chain Validation
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list