Author pitrou
Recipients christian.heimes, gvanrossum, pitrou
Date 2013-10-19.16:22:47
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1382199734.2517.20.camel@fsol>
In-reply-to <CAP7+vJJw1e=jT7M8rNWULYBZjD3yaV=pm0Fu=7z7Y7zvYaH5hg@mail.gmail.com>
Content
> @Antoine: I still claim that a flag that defaults to no security is a
> vulnerability -- nobody reads warnings in docs until *after* they've been
> bitten. It should be an explicit choice in the script or app to disable
> certificate checking.

If we were introducing urllib right now, I agree it would be better to
be "secure by default". But urlopen() has been there for a long time,
it's used a lot and changing the default will break some of the scripts
or apps that have been working fine for ages.

> If you can't access a server because its certificate
> is expired, how is that different than any other misconfiguration that
> makes a server inaccessible until its administrator fixes it?

It's different because the server isn't inaccessible. Its HTTPS service
works fine, it's just that the certificate is untrustable according to
some chosen security settings.

(besides, an expired certificate is not a "misconfiguration"; it worked
fine until it expired; not all systems have dedicated paid
administrators, so this situation is not uncommon)

Again, I think it may be reasonable to change in 3.4, but not in bugfix
versions.

By the way, I seem to remember even svn.python.org used a CACert-emitted
certificate during a long time... a cert that wasn't validated by major
browsers.
History
Date User Action Args
2013-10-19 16:22:48pitrousetrecipients: + pitrou, gvanrossum, christian.heimes
2013-10-19 16:22:48pitroulinkissue19292 messages
2013-10-19 16:22:47pitroucreate