[Python-Dev] Enable Hostname and Certificate Chain Validation

Stephen J. Turnbull stephen at xemacs.org
Fri Jan 24 04:06:17 CET 2014

Wes Turner writes:
 > > But if it's only the already security-conscious developers and
 > > managers who go WTF?, and other environments don't do this by default,
 > > I'd consider that a "dangerous curve, slow down" sign.
 > Mitigations:
 > **Packaging**
 >   * Upgrade setuptools (distribute, zc.buildout)
 >   * Avoid easy_install, python setup.py install, and python setup.py develop
 >     (until it can be verified that the installed version of setuptools contains
 >      VerifyingHTTPSHandler [1])

Are you kidding?  These *aren't* the apps that I care about breaking,
and I know that the PHBs won't pay attention to what I say about
fixing their sites and cert chains (believe me, I've tried, and the
answer is as Paul Moore says: the users can punch the "go ahead anyway
button," what's the big deal here?), they'll just deprecate Python.

My question remains:

 > > Are you telling me that Perl, PHP, and Ruby *do* verify certs by
 > > default in their "batteries included" stdlibs, and developers using
 > > those languages have been turning that feature off in their code for,
 > > like, you know, well, for-EVER man!?

I find that hard to believe, given that the security of the network
remains broken yet there aren't warnings out to avoid these platforms.
(BTW, my employer prides itself on being Matz's alma mater ... they
actually might do something if Ruby was breaking things!)

More information about the Python-Dev mailing list