[Python-Dev] Enable Hostname and Certificate Chain Validation (original) (raw)

M.-A. Lemburg mal at egenix.com
Wed Jan 22 14:16:18 CET 2014

On 22.01.2014 13:43, Jesse Noller wrote:

Well, it's not really a security issue, since the security features are present in Python 3.4. It's just that the user has to enable them. I have to concur with Donald here - in the case of security, especially language security which directly impacts the implicit security of downstream applications, I should not have to opt in to the most secure defaults. Yes; this potentially breaks applications relying on insecure / loose defaults. However it changes the model to "you are by default, explicitly secure" then relying on the domain knowledge of an application developer to harden their application. When, if this changes, an application breaks, it will be in a plainly obvious way which can quickly be resolved.

The "can quickly be resolved" is the issue...

Donald is perfectly right: today, it's trivial to MITM an application that relies off of the current behavior; this is bad news bears for users and developers as it means they need domain knowledge to secure their applications by default they may not have.

I don't think you need much domain knowledge to insert a single line of code into applications to enable the checks.

Using an environment switch the extra checks could even be enabled without any code changes.

-- Marc-Andre Lemburg eGenix.com

Professional Python Services directly from the Source (#1, Jan 22 2014)

Python Projects, Consulting and Support ... http://www.egenix.com/ mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/

More information about the Python-Dev mailing list