[Python-Dev] Enable Hostname and Certificate Chain Validation

M.-A. Lemburg mal at egenix.com
Wed Jan 22 14:16:18 CET 2014

On 22.01.2014 13:43, Jesse Noller wrote:
>> Well, it's not really a security issue, since the security features
>> are present in Python 3.4. It's just that the user has to enable them.
> I have to concur with Donald here - in the case of security, especially language security which directly impacts the implicit security of downstream applications, I should not have to opt in to the most secure defaults.
> Yes; this potentially breaks applications relying on insecure / loose defaults. However it changes the model to "you are by default, explicitly secure" then relying on the domain knowledge of an application developer to harden their application.
> When, if this changes, an application breaks, it will be in a plainly obvious way which can quickly be resolved.

The "can quickly be resolved" is the issue...

> Donald is perfectly right: today, it's trivial to MITM an application that relies off of the current behavior; this is bad news bears for users and developers as it means they need domain knowledge to secure their applications by default they may not have.

I don't think you need much domain knowledge to insert
a single line of code into applications to enable the checks.

Using an environment switch the extra checks could even be enabled
without any code changes.

Marc-Andre Lemburg

Professional Python Services directly from the Source  (#1, Jan 22 2014)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611

More information about the Python-Dev mailing list