[Python-Dev] Enable Hostname and Certificate Chain Validation

M.-A. Lemburg mal at egenix.com
Wed Jan 22 12:53:14 CET 2014

On 22.01.2014 12:36, Donald Stufft wrote:
> On Jan 22, 2014, at 6:30 AM, M.-A. Lemburg <mal at egenix.com> wrote:
>> The change would also disable all services using self-signed
>> certificates which are very common in internal networks and
>> for ad-hoc setups. Many routers and other devices use self-signed
>> certificates when offering HTTPS services.
> It will just disable them by default, they can still easily be accessed
> you’d just need to pass the “do not verify” flag. This clearly indicates
> that you’re opting out of the S in HTTPS.
>> I think overall, it's good to have default security, but locking out
>> all certificates which do not have their root CA certs installed
>> in default installations of systems per default would likely lead to
>> people seeking other more insecure ways of getting things to work,
>> rather than asking their admins to add their CA certs to the certificate
>> chain configuration. So I'm not sure whether raising errors is the
>> best way to achieve better default security. Perhaps just using
>> warnings would be better.
> Again it’s not “locking out”, it’s simply “requires explicitly saying
> I want to not validate”.

This would have to configurable without changing application code,
e.g. using an environment settings.

Otherwise, you do lock out existing scripts and applications from
using Python 3.6 by requiring supporting custom configurations
from all of them.

Simply saying: oh, just change your code to never validate is not
a good solution either.

> It’s hard to be more insecure than not verifying. Just about the only
> other way is to use plaintext but the only real difference there is
> passive vs attack attacks. However typically if you’re in the situation
> to do a passive attack you can also do an active attack. So “more
> insecure” is minorly more insecure while an error is drastically
> more secure.

I disagree with that statement. Using HTTPS without verification
is still far more secure than using plain text.

I know that verification is a lot better, but please remember
that practicality beats purity.

Marc-Andre Lemburg

Professional Python Services directly from the Source  (#1, Jan 22 2014)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611

More information about the Python-Dev mailing list