Bill Janssen <[EMAIL PROTECTED]> added the comment:
I think that, where it's appropriate, you can do that. Just don't put it in
the SSL module.
Bill
On Wed, Sep 10, 2008 at 11:24 PM, Heikki Toivonen <[EMAIL PROTECTED]>wrote:
>
> Heikki Toivonen <[EMAIL PROTECTED]> added the comment:
>
> Ok, thank you for clarifications. Now I understand why the hostname
> checking isn't the solution that fits every problem. I am still not
> completely clear how you'd do the checking otherwise, for example to
> verify the service you are talking to is what you think it is.
>
> But still, I think dealing with email servers is another common use case
> where hostname check is adequate most of the time. I am sure there are
> other cases like this. Therefore I am still of the opinion that the
> default should be to do the hostname check. Yes, make it overridable,
> but doing the check is safer than not doing any checking IMO because
> even if the check is incorrect for a certain purpose the developer is
> likely to notice an error quickly and inclined to do some other security
> check instead of not doing anything and thinking they have a secure system.
>
> If you want to continue the discussion, we should maybe take this to
> some other forum, like comp.lang.python.
>
> _______________________________________
> Python tracker <[EMAIL PROTECTED]>
> <http://bugs.python.org/issue1589>
> _______________________________________
>
Added file: http://bugs.python.org/file11463/unnamed
_______________________________________
Python tracker <[EMAIL PROTECTED]>
<http://bugs.python.org/issue1589>
_______________________________________
<div dir="ltr">I think that, where it's appropriate, you can do that.
Just don't put it in the SSL module.<br><br>Bill<br><br><div
class="gmail_quote">On Wed, Sep 10, 2008 at 11:24 PM, Heikki Toivonen <span
dir="ltr"><<a href="mailto:[EMAIL PROTECTED]">[EMAIL
PROTECTED]</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204,
204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="Ih2E3d"><br>
Heikki Toivonen <<a href="mailto:[EMAIL PROTECTED]">[EMAIL
PROTECTED]</a>> added the comment:<br>
<br>
</div>Ok, thank you for clarifications. Now I understand why the hostname<br>
checking isn't the solution that fits every problem. I am still not<br>
completely clear how you'd do the checking otherwise, for example to<br>
verify the service you are talking to is what you think it is.<br>
<br>
But still, I think dealing with email servers is another common use case<br>
where hostname check is adequate most of the time. I am sure there are<br>
other cases like this. Therefore I am still of the opinion that the<br>
default should be to do the hostname check. Yes, make it overridable,<br>
but doing the check is safer than not doing any checking IMO because<br>
even if the check is incorrect for a certain purpose the developer is<br>
likely to notice an error quickly and inclined to do some other security<br>
check instead of not doing anything and thinking they have a secure system.<br>
<br>
If you want to continue the discussion, we should maybe take this to<br>
some other forum, like comp.lang.python.<br>
<div><div></div><div class="Wj3C7c"><br>
_______________________________________<br>
Python tracker <<a href="mailto:[EMAIL PROTECTED]">[EMAIL
PROTECTED]</a>><br>
<<a href="http://bugs.python.org/issue1589";
target="_blank">http://bugs.python.org/issue1589</a>><br>
_______________________________________<br>
</div></div></blockquote></div><br></div>
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
