[Python-Dev] Enable Hostname and Certificate Chain Validation

Benjamin Peterson bp at benjamin-peterson.org
Wed Jan 22 15:32:43 CET 2014


On Wed, Jan 22, 2014, at 04:02 AM, Donald Stufft wrote:
> 
> On Jan 22, 2014, at 6:45 AM, Nick Coghlan <ncoghlan at gmail.com> wrote:
> 
> > On 22 January 2014 21:21, Paul Moore <p.f.moore at gmail.com> wrote:
> >> On 22 January 2014 10:30, Donald Stufft <donald at stufft.io> wrote:
> >>> Python 3.4 has made great strides in making it easier for applications
> >>> to simply turn on these settings, however many people are not aware
> >>> at all that they need to opt into this. Most assume that it will operate
> >>> similarly to their browser, curl, wget, etc and validate by default and in
> >>> the typical style of security related issues it will appear to work just fine
> >>> however be grossly insecure.
> >> 
> >> Two things:
> >> 
> >> 1. To be "like the browser" we'd need to use the OS certificate store,
> >> which isn't the case on Windows at the moment (managing those
> >> certificate bundle files is most definitely *not* "like the browser" -
> >> I'd have no idea how to add a self-certificate to the bundle file
> >> embedded in pip, for example).
> >> 2. Your proposal is that because some application authors have not
> >> opted in yet, we should penalise the end users of those applications
> >> by stopping them being able to use unverified https? And don't forget,
> >> applications that haven't opted in will have no switch to allow
> >> unverified use. That seems to be punishing the wrong people.
> > 
> > Right, the browsers have a whole system of "click through" security to
> > make the web (and corporate intranets!) still usable even when they
> > only accept CA signed certs by default. With a programming language,
> > there's no such interactivity, so applications just break and users
> > don't know why.
> > 
> > It's notable that even Linux distros haven't made this change in their
> > system Python builds, and commercial Linux distros have raised
> > paranoia to an art form (since that's a respectable chunk of what
> > their users are paying for).
> 
> I was actually talking to a Debian maintainer about the likelihood
> of making this change there earlier today :) If I fail at making this
> change in upstream I’ll be lobbying downstream and then we’ll
> just have different behaviors based on where you get your Python
> from which I think stinks.

I suppose if Debian wants to serve as a test ground to determine whether
everyone is happy about having their scripts broken, that's fine, too.


More information about the Python-Dev mailing list