> On Aug 31, 2014, at 2:09 AM, Nick Coghlan <ncogh...@gmail.com> wrote: > > At the same time, we need to account for the fact that most existing > organisations still trust in perimeter defence for their internal > network security, and hence tolerate (or even actively encourage) the > use of unsecured connections, or skipping certificate validation, > internally. This is actually a really terrible idea, but it's still > incredibly common due to the general failure of the technology > industry to take usability issues seriously when we design security > systems (at least until recently) - doing the wrong "unsafe" thing is > genuinely easier than doing things right. >
Just a quick clarification in order to be a little clearer, this change will (obviously) only effect those who trust perimeter security *and* decided to install an invalid certificate instead of just using HTTP. I'm not saying that this doesn't happen, just being specific (I'm not actually sure why they would install a TLS certificate at all if they are trusting perimeter security, but I'm sure folks do). --- Donald Stufft PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
