[Python-Dev] Enable Hostname and Certificate Chain Validation

Donald Stufft donald at stufft.io
Wed Jan 22 12:29:47 CET 2014


On Jan 22, 2014, at 6:21 AM, Paul Moore <p.f.moore at gmail.com> wrote:

> On 22 January 2014 10:30, Donald Stufft <donald at stufft.io> wrote:
>> Python 3.4 has made great strides in making it easier for applications
>> to simply turn on these settings, however many people are not aware
>> at all that they need to opt into this. Most assume that it will operate
>> similarly to their browser, curl, wget, etc and validate by default and in
>> the typical style of security related issues it will appear to work just fine
>> however be grossly insecure.
> 
> Two things:
> 
> 1. To be "like the browser" we'd need to use the OS certificate store,
> which isn't the case on Windows at the moment (managing those
> certificate bundle files is most definitely *not* "like the browser" -
> I'd have no idea how to add a self-certificate to the bundle file
> embedded in pip, for example).

Python 3.4 added the ability to use the OS cert store on Windows,
see http://bugs.python.org/issue17134.

> 2. Your proposal is that because some application authors have not
> opted in yet, we should penalise the end users of those applications
> by stopping them being able to use unverified https? And don't forget,
> applications that haven't opted in will have no switch to allow
> unverified use. That seems to be punishing the wrong people.

Some applications will need to be updated yes to provide such a switch
but the alternative is that every user of this API needs to configure it
to verify certificates. The difference is that with my proposal the error
condition is very obvious, the SSL certificate will fail to validate, a bug
can be filed and it can be fixed. With the current behavior they only
way you’d know is if you expected it to fail and didn’t, or you went
specifically looking.

It’s a dangerous by default API that punishes people for not knowing
that they need to turn it on, and punishes people who use those
applications. However it won’t punish them directly, instead it’ll just
make it possible to MITM their connection, possibly leaking sensitive
material.


-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/python-dev/attachments/20140122/37696229/attachment.sig>


More information about the Python-Dev mailing list