[Python-Dev] PEP 476: Enabling certificate validation by default!
R. David Murray
rdmurray at bitdance.com
Wed Sep 3 21:06:39 CEST 2014
On Wed, 03 Sep 2014 20:37:38 +0200, Antoine Pitrou <solipsis at pitrou.net> wrote:
> On Wed, 3 Sep 2014 10:54:55 -0700
> Guido van Rossum <guido at python.org> wrote:
> > Today (working at Dropbox, a much smaller company!) I don't
> > even remember the last time I had to deal with such a browser
> > complaint -- internal services here all redirect to SSL, and not a
> > browser that can find fault with their certs.
>
> Good for you. I still sometimes get warnings about expired certificates
> - and sometimes ones that don't exactly match the domain being
> fetched (for example, the certificate wouldn't be valid for that
> specific subdomain - note that CAs often charge a premium for multiple
> subdomains, which why small or non-profit Web sites sometimes skimp on
> them).
>
> You shouldn't assume that the experience of well-connected people in
> the Silicon Valley is representative of what people over the world
> encounter. Yes, where there's a lot of money and a lot of accumulated
> domain competence, security procedures are updated and followed more
> scrupulously...
Heck, yesterday I got invalid certs from...I think it was roku.com, but
in any case not some obscure little company...the actual cert was an
akamai cert, which means something is configured wrong somewhere.
--David
More information about the Python-Dev
mailing list