[Python-Dev] Enable Hostname and Certificate Chain Validation (original) (raw)

Paul Moore p.f.moore at gmail.com
Wed Jan 22 13:17:52 CET 2014

On 22 January 2014 12:02, Donald Stufft <donald at stufft.io> wrote:

We also have to account for the fact that an awful lot of Python applications are corporate ones relying on perimeter defence for security, or private CAs, or just self-signed certificates that their users have already accepted. There are limits to the amount of backwards incompatible change users will tolerate, and at this point in time we're still trying to get people to accept proper Unicode support. Most of those add their private CAs to the system cert stores which would still work fine. I don’t think this change is one that users would be very upset about. We received very positive feedback in doing similar for Pip and we did break things for a few people.

Speaking as someone whose day job consists entirely of working in a corporate "behind the firewall" environment, in my experience this is simply wrong. Most companies do not add private or self certificates to the system stores. Rather, they expect their end users to click on "Yes, Allow" in the browser every time they access the webpage. In many cases even the local PC store and exception list is locked down, so the user has no way of even avoiding this on a local basis. Python and applications built on Python are often used unofficially in such organisations for productivity-enhancing applications. Because it's unofficial, it's often latest versions. Because it's to improve productivity, grabbing existing apps and libraries and having them work rather than writing your own is crucial.

Seriously - the security viewpoints I'm seeing here are so far from corporate life that it's ridiculous. (But to be fair to corporate environments, the firewalls involved mean that the systems involved often have so little internet access that you can essentially ignore anything other than internal threats).

Paul

More information about the Python-Dev mailing list