On 22 January 2014 10:30, Donald Stufft <don...@stufft.io> wrote: > Python 3.4 has made great strides in making it easier for applications > to simply turn on these settings, however many people are not aware > at all that they need to opt into this. Most assume that it will operate > similarly to their browser, curl, wget, etc and validate by default and in > the typical style of security related issues it will appear to work just fine > however be grossly insecure.
Two things: 1. To be "like the browser" we'd need to use the OS certificate store, which isn't the case on Windows at the moment (managing those certificate bundle files is most definitely *not* "like the browser" - I'd have no idea how to add a self-certificate to the bundle file embedded in pip, for example). 2. Your proposal is that because some application authors have not opted in yet, we should penalise the end users of those applications by stopping them being able to use unverified https? And don't forget, applications that haven't opted in will have no switch to allow unverified use. That seems to be punishing the wrong people. Paul _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
