This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author heikki
Recipients ahasenack, heikki, janssen, vila
Date 2008-09-11.06:24:28
SpamBayes Score 4.02517e-08
Marked as misclassified No
Message-id <>
Ok, thank you for clarifications. Now I understand why the hostname
checking isn't the solution that fits every problem. I am still not
completely clear how you'd do the checking otherwise, for example to
verify the service you are talking to is what you think it is.

But still, I think dealing with email servers is another common use case
where hostname check is adequate most of the time. I am sure there are
other cases like this. Therefore I am still of the opinion that the
default should be to do the hostname check. Yes, make it overridable,
but doing the check is safer than not doing any checking IMO because
even if the check is incorrect for a certain purpose the developer is
likely to notice an error quickly and inclined to do some other security
check instead of not doing anything and thinking they have a secure system.

If you want to continue the discussion, we should maybe take this to
some other forum, like comp.lang.python.
Date User Action Args
2008-09-11 06:24:30heikkisetrecipients: + heikki, janssen, vila, ahasenack
2008-09-11 06:24:30heikkisetmessageid: <>
2008-09-11 06:24:29heikkilinkissue1589 messages
2008-09-11 06:24:28heikkicreate