[Python-Dev] Enable Hostname and Certificate Chain Validation
M.-A. Lemburg
mal at egenix.com
Wed Jan 22 14:16:18 CET 2014
On 22.01.2014 13:43, Jesse Noller wrote:
>> Well, it's not really a security issue, since the security features
>> are present in Python 3.4. It's just that the user has to enable them.
>
> I have to concur with Donald here - in the case of security, especially language security which directly impacts the implicit security of downstream applications, I should not have to opt in to the most secure defaults.
>
> Yes; this potentially breaks applications relying on insecure / loose defaults. However it changes the model to "you are by default, explicitly secure" then relying on the domain knowledge of an application developer to harden their application.
>
> When, if this changes, an application breaks, it will be in a plainly obvious way which can quickly be resolved.
The "can quickly be resolved" is the issue...
> Donald is perfectly right: today, it's trivial to MITM an application that relies off of the current behavior; this is bad news bears for users and developers as it means they need domain knowledge to secure their applications by default they may not have.
I don't think you need much domain knowledge to insert
a single line of code into applications to enable the checks.
Using an environment switch the extra checks could even be enabled
without any code changes.
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Source (#1, Jan 22 2014)
>>> Python Projects, Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
________________________________________________________________________
::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
http://www.egenix.com/company/contact/
More information about the Python-Dev
mailing list