Message 71682 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	janssen
Recipients	ahasenack, heikki, janssen, vila
Date	2008-08-21.21:12:28
SpamBayes Score	4.5138662e-05
Marked as misclassified	No
Message-id	<4b3e516a0808211412h28a6ca1bpda2a513d7500466c@mail.gmail.com>
In-reply-to	<1219272735.73.0.805807230774.issue1589@psf.upfronthosting.co.za>

Content
checking hostnames is false security, not real security. On 8/20/08, Heikki Toivonen <report@bugs.python.org> wrote: > > Heikki Toivonen <hjtoi-bugzilla@comcast.net> added the comment: > > > I would think most people/applications want to know to which host they > are talking to. The reason I am advocating adding a default check to the > stdlib is because this is IMO important for security, and it is easy to > get it wrong (I don't think I have it 100% correct in M2Crypto either, > although I believe it errs on the side of caution). I believe it would > be a disservice to ship something that effectively teaches developers to > ignore security (like the old socket.ssl does). > > A TLS extension also allows SSL vhosts, so static IPs are no longer > strictly necessary (this is not universally supported yet, though). > > > _______________________________________ > Python tracker <report@bugs.python.org> > <http://bugs.python.org/issue1589> > _______________________________________ >

checking hostnames is false security, not real security.

On 8/20/08, Heikki Toivonen <report@bugs.python.org> wrote:
>
>  Heikki Toivonen <hjtoi-bugzilla@comcast.net> added the comment:
>
>
> I would think most people/applications want to know to which host they
>  are talking to. The reason I am advocating adding a default check to the
>  stdlib is because this is IMO important for security, and it is easy to
>  get it wrong (I don't think I have it 100% correct in M2Crypto either,
>  although I believe it errs on the side of caution). I believe it would
>  be a disservice to ship something that effectively teaches developers to
>  ignore security (like the old socket.ssl does).
>
>  A TLS extension also allows SSL vhosts, so static IPs are no longer
>  strictly necessary (this is not universally supported yet, though).
>
>
>  _______________________________________
>  Python tracker <report@bugs.python.org>
>  <http://bugs.python.org/issue1589>
>  _______________________________________
>

History
Date	User	Action	Args
2008-08-21 21:12:31	janssen	set	recipients: + janssen, vila, heikki, ahasenack
2008-08-21 21:12:30	janssen	link	issue1589 messages
2008-08-21 21:12:28	janssen	create