[Python-Dev] Enable Hostname and Certificate Chain Validation (original) (raw)

Benjamin Peterson bp at benjamin-peterson.org
Wed Jan 22 15:32:43 CET 2014

On Wed, Jan 22, 2014, at 04:02 AM, Donald Stufft wrote:

On Jan 22, 2014, at 6:45 AM, Nick Coghlan <ncoghlan at gmail.com> wrote: > On 22 January 2014 21:21, Paul Moore <p.f.moore at gmail.com> wrote: >> On 22 January 2014 10:30, Donald Stufft <donald at stufft.io> wrote: >>> Python 3.4 has made great strides in making it easier for applications >>> to simply turn on these settings, however many people are not aware >>> at all that they need to opt into this. Most assume that it will operate >>> similarly to their browser, curl, wget, etc and validate by default and in >>> the typical style of security related issues it will appear to work just fine >>> however be grossly insecure. >> >> Two things: >> >> 1. To be "like the browser" we'd need to use the OS certificate store, >> which isn't the case on Windows at the moment (managing those >> certificate bundle files is most definitely not "like the browser" - >> I'd have no idea how to add a self-certificate to the bundle file >> embedded in pip, for example). >> 2. Your proposal is that because some application authors have not >> opted in yet, we should penalise the end users of those applications >> by stopping them being able to use unverified https? And don't forget, >> applications that haven't opted in will have no switch to allow >> unverified use. That seems to be punishing the wrong people. > > Right, the browsers have a whole system of "click through" security to > make the web (and corporate intranets!) still usable even when they > only accept CA signed certs by default. With a programming language, > there's no such interactivity, so applications just break and users > don't know why. > > It's notable that even Linux distros haven't made this change in their > system Python builds, and commercial Linux distros have raised > paranoia to an art form (since that's a respectable chunk of what > their users are paying for). I was actually talking to a Debian maintainer about the likelihood of making this change there earlier today :) If I fail at making this change in upstream I’ll be lobbying downstream and then we’ll just have different behaviors based on where you get your Python from which I think stinks.

I suppose if Debian wants to serve as a test ground to determine whether everyone is happy about having their scripts broken, that's fine, too.

More information about the Python-Dev mailing list