[Python-Dev] PEP 476: Enabling certificate validation by default!

Donald Stufft donald at stufft.io
Wed Sep 3 20:39:32 CEST 2014

> On Sep 3, 2014, at 1:54 PM, Guido van Rossum <guido at python.org> wrote:
> On Wed, Sep 3, 2014 at 8:58 AM, R. David Murray <rdmurray at bitdance.com <mailto:rdmurray at bitdance.com>> wrote:
> I'm OK with letting go of this invalid-cert issue myself, given the lack
> of negative feedback Twisted got.  I'll just keep my fingers crossed.
> I'm with this sentiment (cautiously +1) -- and not just because of Twisted's experience or Glyph's passion.
> Network security is much more important now than it was five years ago -- and yet Python 2.7 is at least that old. My own experience has changed a lot: five years ago (when I worked at Google!) it was common to find internal services that required SSL but had a misconfigured certificate, and the only way to access those services was to override the browser complaints. Today (working at Dropbox, a much smaller company!) I don't even remember the last time I had to deal with such a browser complaint -- internal services here all redirect to SSL, and not a browser that can find fault with their certs. If I did get a complaint about a certificate I would fire off an email to a sysadmin alerting them to the issue.
> Let's take the plunge on this issue for the next 2.7 release (3.5 being a done deal). Yes, some people will find that they have an old script accessing an old service which breaks. Surely some of the other changes in the same 2.7 bugfix release will also break some other scripts. People deal with it. Probably 90% of the time it's an annoyance (but no worse than any other minor-release upgrade -- you should test upgrades before committing to them, and if all else fails, roll it back). But at least some of the time it will be a wake-up call and an expired certificate will be replaced, resulting in more security for all.

+1, this makes me unreasonably happy.

> I don't want to start preaching security doom and gloom (the experts are doing enough of that :-), but the scale and sophistication of attacks (whether publicized or not) is constantly increasing, and routine maintenance checks on old software are just one of the small ways that we can help the internet become more secure. (And please let the PSF sysadmin team beef up *.python.org <http://python.org/> -- sooner or later some forgotten part of our infrastructure *will* come under attack.)

This is an ongoing effort amongst the Infra team, part of the process is moving infrastructure away from hand crafted servers towards servers managed by config management as well as making sure all our services are behind TLS as well.

> -- 
> --Guido van Rossum (python.org/~guido <http://python.org/~guido>)
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/donald%40stufft.io

Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20140903/fccb9d41/attachment.html>

More information about the Python-Dev mailing list