[Python-Dev] Enable Hostname and Certificate Chain Validation (original) (raw)
Wes Turner wes.turner at gmail.com
Thu Jan 23 12:20:07 CET 2014
- Previous message: [Python-Dev] Enable Hostname and Certificate Chain Validation
- Next message: [Python-Dev] Enable Hostname and Certificate Chain Validation
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
But if it's only the already security-conscious developers and managers who go WTF?, and other environments don't do this by default, I'd consider that a "dangerous curve, slow down" sign.
Mitigations:
Packaging
Upgrade setuptools (distribute, zc.buildout)
Avoid easy_install, python setup.py install, and python setup.py develop (until it can be verified that the installed version of setuptools contains VerifyingHTTPSHandler [1])
https://bitbucket.org/pypa/setuptools/history-node/tip/setuptools/ssl_support.py
+1 for Pip install -e vcs+ssh://vcs@example.org/username/pkgname@semver@egg=pkgname
+1 for Conda
+1 for OS packages
Implementation
- Python < 3.4 : https://pypi.python.org/pypi/backports.ssl_match_hostname
Awareness
- Big red warning boxes: (.. warning:: in RST): Documentation
- This must not be easy to test.
- http://www.cvedetails.com/vulnerability-list/vendor_id-10210/product_id-18230/Python-Python.html
-- Wes Turner
On Thu, Jan 23, 2014 at 3:05 AM, Stephen J. Turnbull <stephen at xemacs.org> wrote:
Donald Stufft writes:
> As an additional side note, anecdotal evidence and what not, but > every time I bring this up somewhere I get at least one reply > that looks similar to > https://twitter.com/ojiidotch/status/425986619879866368 Hey, wait a cotton-picking minute! Are you telling me that Perl, PHP, and Ruby do verify certs by default in their "batteries included" stdlibs, and developers using those languages have been turning that feature off in their code for, like, you know, well, for-EVER man!? (They surely don't leave it on, or my employer would have fixed their broken cert chain and hostnames by now.) If so, that's evidence for the practicality of the proposal, and maybe even for fast-tracking it to catch up. My employer and the Ministry of Education, Culture, Science, and Technology be damned (and they will be). But if it's only the already security-conscious developers and managers who go WTF?, and other environments don't do this by default, I'd consider that a "dangerous curve, slow down" sign.
Python-Dev mailing list Python-Dev at python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/wes.turner%40gmail.com
- Previous message: [Python-Dev] Enable Hostname and Certificate Chain Validation
- Next message: [Python-Dev] Enable Hostname and Certificate Chain Validation
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]