[Python-Dev] PEP 476: Enabling certificate validation by default! (original) (raw)

Christian Heimes christian at python.org
Mon Sep 1 09:13:33 CEST 2014

• Previous message: [Python-Dev] PEP 476: Enabling certificate validation by default!
• Next message: [Python-Dev] PEP 476: Enabling certificate validation by default!
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 01.09.2014 08:44, Nick Coghlan wrote:

Yes, it would have exactly the same security failure modes as sitecustomize, except it would only fire if the application imported the ssl module.

The "-S" and "-I" switches would need to disable the implied "sslcustomize", just as they disable "import site".

A malicious package can already play havoc with your installation with a custom ssl module. If somebody is able to sneak in a ssl.py then you are screwed anyway. sslcustomize is not going to make the situation worse.

Christian

• Previous message: [Python-Dev] PEP 476: Enabling certificate validation by default!
• Next message: [Python-Dev] PEP 476: Enabling certificate validation by default!
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list