[Python-Dev] PEP 476: Enabling certificate validation by default!

Tue Sep 2 23:00:02 CEST 2014

On Aug 29, 2014, at 7:44 PM, Alex Gaynor <alex.gaynor at gmail.com> wrote:
>  Disabling verification entirely externally to the program, through a CLI flag
>  or environment variable. I'm pretty down on this idea, the problem you hit is
>  that it's a pretty blunt instrument to swing, and it's almost impossible to
>  imagine it not hitting things it shouldn't; it's far too likely to be used in
>  applications that make two sets of outbound connections: 1) to some internal
>  service which you want to disable verification on, and 2) some external
>  service which needs strong validation. A global flag causes the latter to
>  fail silently when subjected to a MITM attack, and that's exactly what we're
>  trying to avoid. It also makes things much harder for library authors: I
>  write an API client for some API, and make TLS connections to it. I want
>  those to be verified by default. I can't even rely on the httplib defaults,
>  because someone might disable them from the outside.

I would strongly recommend against such a mechanism.

For what it's worth, Twisted simply unconditionally started verifying certificates in 14.0 with no "disable" switch, and (to my knowledge) literally no users have complained.

Twisted has a very, very strict backwards compatibility policy.  For example, I once refused to accept the deletion of a class that raised an exception upon construction, on the grounds that someone might have been inadvertently importing that class, and they shouldn't see an exception until they've seen a deprecation for one release.

Despite that, we classified failing to verify certificates as a security bug, and fixed it with no deprecation period.  When users type the 's' after the 'p' and before the ':' in a URL, they implicitly expect browser-like certificate verification.

The lack of complaints is despite the fact that 14.0 has been out for several months now, and, thanks to the aforementioned strict policy, users tend to upgrade fairly often (since they know they can almost always do so without fear of application-breaking consequences).  According to PyPI metadata, 14.0.0 has had 273283 downloads so far.

Furthermore, "disable verification" is a nonsensical thing to do with TLS.  "select a trust root" is a valid configuration option, and OpenSSL already provides it via the SSL_CERT_DIR environment variable, so there's no need for Python to provide anything beyond that.

-glyph

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20140902/05febea3/attachment.html>