[Python-Dev] Enable Hostname and Certificate Chain Validation

[Donald Stufft]

On Jan 22, 2014, at 5:51 AM, M.-A. Lemburg <mal at egenix.com> wrote:

> On 22.01.2014 11:30, Donald Stufft wrote:
>> I would like to propose that a backwards incompatible change be made to Python to make
>> verification of hostname and certificate chain the default instead of requiring it to be opt
>> in.
>> 
>> Python 3.4 has made great strides in making it easier for applications to simply turn on these
>> settings, however many people are not aware at all that they need to opt into this. Most assume
>> that it will operate similarly to their browser, curl, wget, etc and validate by default and
>> in the typical style of security related issues it will appear to work just fine however be
>> grossly insecure.
>> 
>> In the real world “opt in security” typically translates to just plain old insecure for the
>> bulk of applications/libraries. I believe that Python has a responsibility to do the right
>> thing by default here and it is in the best position to do so. The alternative requires every
>> Python developer who wants to access a secure resource to be educated on the fact that they
>> need to flip some switch to do what most of them would expect.
> 
> Such a change would introduce considerable breakage. This would either
> have to be done using our usual pending deprecation, deprecation, removal
> dance (over three releases) or be postponed until Python 4.

I can understand the need for doing the typical deprecation dance, although
I believe such policies are often overlooked or accelerated for security
sensitive changes. I do believe that waiting until Python 4 would be doing
a great disservice to the users of Python though.

> 
> Note that several python.org services use CAcerts which would no
> longer be accessible per default following such a change.

Not that it has much to do with this proposal, but those services should
be switched to use certificates that are well trusted.

> 
> -- 
> Marc-Andre Lemburg
> eGenix.com
> 
> Professional Python Services directly from the Source  (#1, Jan 22 2014)
>>>> Python Projects, Consulting and Support ...   http://www.egenix.com/ 
>>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/ mxODBC, mxDateTime,
>>>> mxTextTools ...        http://python.egenix.com/
> ________________________________________________________________________
> 
> ::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::
> 
>   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
>    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
>           Registered at Amtsgericht Duesseldorf: HRB 46611
>               http://www.egenix.com/company/contact/


-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/python-dev/attachments/20140122/75dfc845/attachment.sig>