[Python-Dev] PEP 476: Enabling certificate validation by default!

Donald Stufft donald at stufft.io
Sun Aug 31 08:16:55 CEST 2014

Previous message: [Python-Dev] PEP 476: Enabling certificate validation by default!
Next message: [Python-Dev] PEP 476: Enabling certificate validation by default!
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On Aug 31, 2014, at 2:09 AM, Nick Coghlan <ncoghlan at gmail.com> wrote:
> 
> At the same time, we need to account for the fact that most existing
> organisations still trust in perimeter defence for their internal
> network security, and hence tolerate (or even actively encourage) the
> use of unsecured connections, or skipping certificate validation,
> internally. This is actually a really terrible idea, but it's still
> incredibly common due to the general failure of the technology
> industry to take usability issues seriously when we design security
> systems (at least until recently) - doing the wrong "unsafe" thing is
> genuinely easier than doing things right.
> 

Just a quick clarification in order to be a little clearer, this change will
(obviously) only effect those who trust perimeter security *and* decided to
install an invalid certificate instead of just using HTTP. I'm not saying that
this doesn't happen, just being specific (I'm not actually sure why they would
install a TLS certificate at all if they are trusting perimeter security, but
I'm sure folks do).

---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20140831/69ac7e53/attachment.html>

Previous message: [Python-Dev] PEP 476: Enabling certificate validation by default!
Next message: [Python-Dev] PEP 476: Enabling certificate validation by default!
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list