[Python-Dev] Enable Hostname and Certificate Chain Validation
Donald Stufft
donald at stufft.io
Fri Jan 24 04:09:49 CET 2014
On Jan 23, 2014, at 10:06 PM, Stephen J. Turnbull <stephen at xemacs.org> wrote:
> Wes Turner writes:
>>> But if it's only the already security-conscious developers and
>>> managers who go WTF?, and other environments don't do this by default,
>>> I'd consider that a "dangerous curve, slow down" sign.
>>
>> Mitigations:
>>
>> **Packaging**
>>
>> * Upgrade setuptools (distribute, zc.buildout)
>> * Avoid easy_install, python setup.py install, and python setup.py develop
>> (until it can be verified that the installed version of setuptools contains
>> VerifyingHTTPSHandler [1])
>
> Are you kidding? These *aren't* the apps that I care about breaking,
> and I know that the PHBs won't pay attention to what I say about
> fixing their sites and cert chains (believe me, I've tried, and the
> answer is as Paul Moore says: the users can punch the "go ahead anyway
> button," what's the big deal here?), they'll just deprecate Python.
>
> My question remains:
>
>>> Are you telling me that Perl, PHP, and Ruby *do* verify certs by
>>> default in their "batteries included" stdlibs, and developers using
>>> those languages have been turning that feature off in their code for,
>>> like, you know, well, for-EVER man!?
>
> I find that hard to believe, given that the security of the network
> remains broken yet there aren't warnings out to avoid these platforms.
> (BTW, my employer prides itself on being Matz's alma mater ... they
> actually might do something if Ruby was breaking things!)
Ruby has verified the peer by default since Ruby 1.9
Go also verifies by default, I’m not aware if PHP or Perl do.
-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/python-dev/attachments/20140123/492be5a9/attachment-0001.sig>
More information about the Python-Dev
mailing list