[Python-Dev] PEP 476: Enabling certificate validation by default!

Guido van Rossum guido at python.org
Wed Sep 3 19:54:55 CEST 2014

On Wed, Sep 3, 2014 at 8:58 AM, R. David Murray <rdmurray at bitdance.com>

> I'm OK with letting go of this invalid-cert issue myself, given the lack
> of negative feedback Twisted got.  I'll just keep my fingers crossed.

I'm with this sentiment (cautiously +1) -- and not just because of
Twisted's experience or Glyph's passion.

Network security is much more important now than it was five years ago --
and yet Python 2.7 is at least that old. My own experience has changed a
lot: five years ago (when I worked at Google!) it was common to find
internal services that required SSL but had a misconfigured certificate,
and the only way to access those services was to override the browser
complaints. Today (working at Dropbox, a much smaller company!) I don't
even remember the last time I had to deal with such a browser complaint --
internal services here all redirect to SSL, and not a browser that can find
fault with their certs. If I did get a complaint about a certificate I
would fire off an email to a sysadmin alerting them to the issue.

Let's take the plunge on this issue for the next 2.7 release (3.5 being a
done deal). Yes, some people will find that they have an old script
accessing an old service which breaks. Surely some of the other changes in
the same 2.7 bugfix release will also break some other scripts. People deal
with it. Probably 90% of the time it's an annoyance (but no worse than any
other minor-release upgrade -- you should test upgrades before committing
to them, and if all else fails, roll it back). But at least some of the
time it will be a wake-up call and an expired certificate will be replaced,
resulting in more security for all.

I don't want to start preaching security doom and gloom (the experts are
doing enough of that :-), but the scale and sophistication of attacks
(whether publicized or not) is constantly increasing, and routine
maintenance checks on old software are just one of the small ways that we
can help the internet become more secure. (And please let the PSF sysadmin
team beef up *.python.org -- sooner or later some forgotten part of our
infrastructure *will* come under attack.)

--Guido van Rossum (python.org/~guido)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20140903/e9b3f56d/attachment-0001.html>

More information about the Python-Dev mailing list