[Python-Dev] Enable Hostname and Certificate Chain Validation

[Paul Moore]

On 22 January 2014 12:02, Donald Stufft <donald at stufft.io> wrote:
>> We also have to account for the fact that an awful lot of Python
>> applications are corporate ones relying on perimeter defence for
>> security, or private CAs, or just self-signed certificates that their
>> users have already accepted. There are limits to the amount of
>> backwards incompatible change users will tolerate, and at this point
>> in time we're still trying to get people to accept proper Unicode
>> support.
>
> Most of those add their private CAs to the system cert stores
> which would still work fine. I don’t think this change is one that
> users would be very upset about. We received very positive
> feedback in doing similar for Pip and we did break things for
> a few people.

Speaking as someone whose day job consists entirely of working in a
corporate "behind the firewall" environment, in my experience this is
simply wrong. Most companies do *not* add private or self certificates
to the system stores. Rather, they expect their end users to click on
"Yes, Allow" in the browser *every* *time* they access the webpage. In
many cases even the local PC store and exception list is locked down,
so the user has no way of even avoiding this on a local basis. Python
and applications built on Python are often used unofficially in such
organisations for productivity-enhancing applications. Because it's
unofficial, it's often latest versions. Because it's to improve
productivity, grabbing existing apps and libraries and having them
work rather than writing your own is crucial.

Seriously - the security viewpoints I'm seeing here are so far from
corporate life that it's ridiculous. (But to be fair to corporate
environments, the firewalls involved mean that the systems involved
often have so little internet access that you can essentially ignore
anything other than internal threats).

Paul