[Python-Dev] Enable Hostname and Certificate Chain Validation (original) (raw)
Stephen J. Turnbull stephen at xemacs.org
Fri Jan 24 04:06:17 CET 2014
- Previous message: [Python-Dev] Enable Hostname and Certificate Chain Validation
- Next message: [Python-Dev] Enable Hostname and Certificate Chain Validation
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Wes Turner writes:
But if it's only the already security-conscious developers and managers who go WTF?, and other environments don't do this by default, I'd consider that a "dangerous curve, slow down" sign.
Mitigations:
Packaging
- Upgrade setuptools (distribute, zc.buildout)
- Avoid easy_install, python setup.py install, and python setup.py develop (until it can be verified that the installed version of setuptools contains VerifyingHTTPSHandler [1])
Are you kidding? These aren't the apps that I care about breaking, and I know that the PHBs won't pay attention to what I say about fixing their sites and cert chains (believe me, I've tried, and the answer is as Paul Moore says: the users can punch the "go ahead anyway button," what's the big deal here?), they'll just deprecate Python.
My question remains:
Are you telling me that Perl, PHP, and Ruby do verify certs by default in their "batteries included" stdlibs, and developers using those languages have been turning that feature off in their code for, like, you know, well, for-EVER man!?
I find that hard to believe, given that the security of the network remains broken yet there aren't warnings out to avoid these platforms. (BTW, my employer prides itself on being Matz's alma mater ... they actually might do something if Ruby was breaking things!)
- Previous message: [Python-Dev] Enable Hostname and Certificate Chain Validation
- Next message: [Python-Dev] Enable Hostname and Certificate Chain Validation
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]