On Wed, Jan 22, 2014, at 04:02 AM, Donald Stufft wrote:
On Jan 22, 2014, at 6:45 AM, Nick Coghlan <ncoghlan@gmail.com> wrote:
On 22 January 2014 21:21, Paul Moore <p.f.moore@gmail.com> wrote:
On 22 January 2014 10:30, Donald Stufft <donald@stufft.io> wrote:
Python 3.4 has made great strides in making it easier for applications to simply turn on these settings, however many people are not aware at all that they need to opt into this. Most assume that it will operate similarly to their browser, curl, wget, etc and validate by default and in the typical style of security related issues it will appear to work just fine however be grossly insecure.
Two things:
1. To be "like the browser" we'd need to use the OS certificate store, which isn't the case on Windows at the moment (managing those certificate bundle files is most definitely *not* "like the browser" - I'd have no idea how to add a self-certificate to the bundle file embedded in pip, for example). 2. Your proposal is that because some application authors have not opted in yet, we should penalise the end users of those applications by stopping them being able to use unverified https? And don't forget, applications that haven't opted in will have no switch to allow unverified use. That seems to be punishing the wrong people.
Right, the browsers have a whole system of "click through" security to make the web (and corporate intranets!) still usable even when they only accept CA signed certs by default. With a programming language, there's no such interactivity, so applications just break and users don't know why.
It's notable that even Linux distros haven't made this change in their system Python builds, and commercial Linux distros have raised paranoia to an art form (since that's a respectable chunk of what their users are paying for).
I was actually talking to a Debian maintainer about the likelihood of making this change there earlier today :) If I fail at making this change in upstream I’ll be lobbying downstream and then we’ll just have different behaviors based on where you get your Python from which I think stinks.
I suppose if Debian wants to serve as a test ground to determine whether everyone is happy about having their scripts broken, that's fine, too.