On Jan 22, 2014, at 5:51 AM, M.-A. Lemburg <mal at egenix.com> wrote: > On 22.01.2014 11:30, Donald Stufft wrote: >> I would like to propose that a backwards incompatible change be made to Python to make >> verification of hostname and certificate chain the default instead of requiring it to be opt >> in. >> >> Python 3.4 has made great strides in making it easier for applications to simply turn on these >> settings, however many people are not aware at all that they need to opt into this. Most assume >> that it will operate similarly to their browser, curl, wget, etc and validate by default and >> in the typical style of security related issues it will appear to work just fine however be >> grossly insecure. >> >> In the real world “opt in security” typically translates to just plain old insecure for the >> bulk of applications/libraries. I believe that Python has a responsibility to do the right >> thing by default here and it is in the best position to do so. The alternative requires every >> Python developer who wants to access a secure resource to be educated on the fact that they >> need to flip some switch to do what most of them would expect. > > Such a change would introduce considerable breakage. This would either > have to be done using our usual pending deprecation, deprecation, removal > dance (over three releases) or be postponed until Python 4. I can understand the need for doing the typical deprecation dance, although I believe such policies are often overlooked or accelerated for security sensitive changes. I do believe that waiting until Python 4 would be doing a great disservice to the users of Python though. > > Note that several python.org services use CAcerts which would no > longer be accessible per default following such a change. Not that it has much to do with this proposal, but those services should be switched to use certificates that are well trusted. > > -- > Marc-Andre Lemburg > eGenix.com > > Professional Python Services directly from the Source (#1, Jan 22 2014) >>>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ mxODBC, mxDateTime, >>>> mxTextTools ... http://python.egenix.com/ > ________________________________________________________________________ > > ::::: Try our mxODBC.Connect Python Database Interface for free ! :::::: > > eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 > D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg > Registered at Amtsgericht Duesseldorf: HRB 46611 > http://www.egenix.com/company/contact/ ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://mail.python.org/pipermail/python-dev/attachments/20140122/75dfc845/attachment.sig>
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4