[Python-Dev] Enable Hostname and Certificate Chain Validation

Wes Turner wes.turner at gmail.com
Thu Jan 23 12:20:07 CET 2014 

> But if it's only the already security-conscious developers and
> managers who go WTF?, and other environments don't do this by default,
> I'd consider that a "dangerous curve, slow down" sign.

Mitigations:

**Packaging**

  * Upgrade setuptools (distribute, zc.buildout)
  * Avoid easy_install, python setup.py install, and python setup.py develop
    (until it can be verified that the installed version of setuptools contains
     VerifyingHTTPSHandler [1])

     https://bitbucket.org/pypa/setuptools/history-node/tip/setuptools/ssl_support.py

  * +1 for Pip install -e
vcs+ssh://vcs@example.org/username/pkgname@semver@egg=pkgname
  * +1 for Conda
  * +1 for OS packages


**Implementation**

* Python < 3.4 : https://pypi.python.org/pypi/backports.ssl_match_hostname


**Awareness**

* Big red warning boxes: (.. warning:: in RST): Documentation
* This must not be easy to test.
* http://www.cvedetails.com/vulnerability-list/vendor_id-10210/product_id-18230/Python-Python.html


--
Wes Turner


On Thu, Jan 23, 2014 at 3:05 AM, Stephen J. Turnbull <stephen at xemacs.org> wrote:
> Donald Stufft writes:
>
>  > As an additional side note, anecdotal evidence and what not, but
>  > *every* time I bring this up somewhere I get at least one reply
>  > that looks similar to
>  > https://twitter.com/ojiidotch/status/425986619879866368
>
> Hey, wait a cotton-picking minute!
>
> Are you telling me that Perl, PHP, and Ruby *do* verify certs by
> default in their "batteries included" stdlibs, and developers using
> those languages have been turning that feature off in their code for,
> like, you know, well, for-EVER man!?  (They surely don't leave it on,
> or my employer would have fixed their broken cert chain and hostnames
> by now.)
>
> If so, that's evidence for the practicality of the proposal, and maybe
> even for fast-tracking it to catch up.  My employer and the Ministry
> of Education, Culture, Science, and Technology be damned (and they
> will be).
>
> But if it's only the already security-conscious developers and
> managers who go WTF?, and other environments don't do this by default,
> I'd consider that a "dangerous curve, slow down" sign.
>
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/wes.turner%40gmail.com

More information about the Python-Dev mailing list