[Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)

Donald Stufft donald at stufft.io
Mon Jun 3 23:56:48 CEST 2013 

On Jun 3, 2013, at 5:51 PM, Antoine Pitrou <solipsis at pitrou.net> wrote:

> On Mon, 3 Jun 2013 17:47:31 -0400
> Donald Stufft <donald at stufft.io> wrote:
>> 
>> On Jun 3, 2013, at 5:41 PM, Antoine Pitrou <solipsis at pitrou.net> wrote:
>> 
>>> On Mon, 3 Jun 2013 22:31:40 +0100
>>> Paul Moore <p.f.moore at gmail.com> wrote:
>>>> 
>>>>> Some legit sites with proper
>>>>> certificates still manage to muck something up administratively
>>>>> (developer.quicksales.com.au has a cert from RapidSSL but doesn't
>>>>> bundle the intermediates, and I've told their devs about it, but all I
>>>>> can do is disable cert checking). This will break code in ways that
>>>>> will surprise people greatly. But I'd still rather the default be
>>>>> True.
>>>>> 
>>>> 
>>>> I'm happy if the "will cease to work" clause only says "some sites with
>>>> broken security configurations may stop working" with a clear explanation
>>>> that it is *their* fault, not Python's. I'd also expect that the same sites
>>>> would fail in browsers - if not, we should also be able to make them work
>>>> (or face cries of "well, Internet Explorer/Firefox doesn't have a problem
>>>> with my site, why does Python?").
>>> 
>>> Keep in mind that not every HTTPS service is a Web site that is meant
>>> to be readable with a browser. Some are Web services, possibly internal,
>>> possibly without a domain name (and, therefore, probably a non-matching
>>> certificate subject name).
>> 
>> They should need to explicitly opt in to disabling the checks that allow that to work.
> 
> Obviously, which means compatibility is broken with existing code.
> 
> Regards
> 
> Antoine.
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> http://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: http://mail.python.org/mailman/options/python-dev/donald%40stufft.io


Yes in that case compat will be broken and they'll need to either specify a cert that can be used to validate the connection or disable the protection. I think it's very surprising for people that they need to *enable* secure mode when most tools have that on by default. It's handing users a security foot gun, and like most things security related "broken" is silent until it's too late.


-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20130603/b2465bd5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/python-dev/attachments/20130603/b2465bd5/attachment.pgp>

More information about the Python-Dev mailing list