[Python-Dev] PEP 476: Enabling certificate validation by default!

Nick Coghlan ncoghlan at gmail.com
Sun Aug 31 08:45:42 CEST 2014

On 31 August 2014 16:16, Donald Stufft <donald at stufft.io> wrote:
> On Aug 31, 2014, at 2:09 AM, Nick Coghlan <ncoghlan at gmail.com> wrote:
> At the same time, we need to account for the fact that most existing
> organisations still trust in perimeter defence for their internal
> network security, and hence tolerate (or even actively encourage) the
> use of unsecured connections, or skipping certificate validation,
> internally. This is actually a really terrible idea, but it's still
> incredibly common due to the general failure of the technology
> industry to take usability issues seriously when we design security
> systems (at least until recently) - doing the wrong "unsafe" thing is
> genuinely easier than doing things right.
> Just a quick clarification in order to be a little clearer, this change will
> (obviously) only effect those who trust perimeter security *and* decided to
> install an invalid certificate instead of just using HTTP. I'm not saying
> that
> this doesn't happen, just being specific (I'm not actually sure why they
> would
> install a TLS certificate at all if they are trusting perimeter security,
> but
> I'm sure folks do).

It's the end result when a company wide edict to use HTTPS isn't
backed up by the necessary documentation and training on how to get a
properly signed cert from your internal CA (or, even better, when such
an edict comes down without setting up an internal CA first). Folks
hit the internet instead, find instructions on creating a self-signed
cert, install that, and tell their users to ignore the security
warning and accept the cert. Historically, Python clients have "just
worked" in environments that required a click-through on the browser
side, since you had to opt in to checking the certificates properly.

Self-signed certificates can also be really handy for doing local
testing - you're not really aiming to authenticate the connection in
that case, you're just aiming to test that the secure connection
machinery is all working properly.

(As far as the "what about requests?" question goes - that's in a
similar situation to Go, where being new allows it to choose different
defaults, and folks for whom those defaults don't work just won't use
it. There's also the fact that most corporate Python users are
unlikely to know that PyPI exists, let alone that it contains a module
called "requests" that does SSL certificate validation by default.
Those of us in the corporate world that interact directly with
upstream are still the exception rather than the rule)


Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Python-Dev mailing list