Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Cory Benfield]

On 24 January 2014 03:06, Stephen J. Turnbull step...@xemacs.org wrote:
 Are you kidding?  These *aren't* the apps that I care about breaking,
 and I know that the PHBs won't pay attention to what I say about
 fixing their sites and cert chains (believe me, I've tried, and the
 answer is as Paul Moore says: the users can punch the go ahead anyway
 button, what's the big deal here?), they'll just deprecate Python.

Surely the solution here isn't to say well then, let's be insecure by
default, it's to provide a go ahead anyway button. That at least lets us
push the choice to be insecure by default onto someone else. The idea that
an enterprise will deprecate Python instead of adding a single environment
variable or one line at the top of their scripts seems hugely unlikely.

As an example, Requests provides a stop verifying certs button, and
that works fine for us. (I know that Requests is outside the stdlib and so
it's not a perfect analogy, but it's serviceable.) I suspect most people who
want this change don't care if users have an easy way to circumvent it,
we just want to have the user/enterprise make that choice for themselves.
Put another way, we want the average user to fall into a pit of success.
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Cory Benfield]

On 23 January 2014 08:37, Stephen J. Turnbull step...@xemacs.org wrote:

 I don't know what the right answer is, but this needs careful
 discussion and amelioration, not just you're broken, so take the
 consequences!

Absolutely. =)

With that said, having a great big button to turn the change off
(e.g. environment variable, global setting) feels like an acceptable
mitigation to me, but then I'm probably still more aggressive than the
core developers! Either way, it looks like the deprecation dance is
going to be the consensus decision here.
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Stephen J. Turnbull]

Cory Benfield writes:

  I'm overwhelmingly, dramatically +1 on this. There's no good
  architectural reason to not use the built-in certificate chains by
  default. I'd like to be in favour of backporting this change to earlier
  Python versions as well, but it feels just a bit too aggressive.

-1  This is just a bit too aggressive, too.

I'll guarantee this breaks applications all over Japan, especially in
universities because the Ministry of Education uses certificates
rooted somewhere nobody's ever heard of, and typically don't bother to
ensure the domain name matches the cert being presented.  I've even
run into such domain-match issues with banks (not banks I deal with
any more, of course!)

This is quite different from web browsers and other interactive
applications.  It has the potential to break secure mail and news
and other automatic data transfers.  Breaking people's software that
should run silently in the background just because they upgrade Python
shouldn't happen, and people here will blame Python, not their broken
websites and network apps.

I don't know what the right answer is, but this needs careful
discussion and amelioration, not just you're broken, so take the
consequences!

___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Stephen J. Turnbull]

Donald Stufft writes:

  As an additional side note, anecdotal evidence and what not, but
  *every* time I bring this up somewhere I get at least one reply
  that looks similar to
  https://twitter.com/ojiidotch/status/425986619879866368

Hey, wait a cotton-picking minute!

Are you telling me that Perl, PHP, and Ruby *do* verify certs by
default in their batteries included stdlibs, and developers using
those languages have been turning that feature off in their code for,
like, you know, well, for-EVER man!?  (They surely don't leave it on,
or my employer would have fixed their broken cert chain and hostnames
by now.)

If so, that's evidence for the practicality of the proposal, and maybe
even for fast-tracking it to catch up.  My employer and the Ministry
of Education, Culture, Science, and Technology be damned (and they
will be).

But if it's only the already security-conscious developers and
managers who go WTF?, and other environments don't do this by default,
I'd consider that a dangerous curve, slow down sign.

___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Martin v. Löwis]

Am 23.01.14 07:45, schrieb Scott Dial:
 Anecdotally, I already know of a system at work that is using HTTPS
 purely for encryption, because the authentication is done in-band. So, a
 self-signed cert was wholly sufficient. The management tools use a
 RESTful interface over HTTPS for control, but you are telling me this
 will be broken by default now. What do I tell our developers (who often
 adopt the latest and greatest versions of things to play with)?

If they play with the newest version before actually using it in
production, all is well. You can then tell them that they have
four options:
- not upgrade to the newest Python release (at least not until
  they are willing to pursue any of the other alternatives)
- update the code to disable cert validation, or explicitly
  add the self-signed cert as a trusted one programmatically.
- update the client system configuration, to add the self-signed
  certificate as trusted (system-wide or per user).
- update the server, to use a cert signed by one of the
  trusted CAs.

Regards,
Martin


___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Nick Coghlan]

On 23 January 2014 22:41, Martin v. Löwis mar...@v.loewis.de wrote:
 Am 23.01.14 07:45, schrieb Scott Dial:
 Anecdotally, I already know of a system at work that is using HTTPS
 purely for encryption, because the authentication is done in-band. So, a
 self-signed cert was wholly sufficient. The management tools use a
 RESTful interface over HTTPS for control, but you are telling me this
 will be broken by default now. What do I tell our developers (who often
 adopt the latest and greatest versions of things to play with)?

 If they play with the newest version before actually using it in
 production, all is well. You can then tell them that they have
 four options:
 - not upgrade to the newest Python release (at least not until
   they are willing to pursue any of the other alternatives)
 - update the code to disable cert validation, or explicitly
   add the self-signed cert as a trusted one programmatically.
 - update the client system configuration, to add the self-signed
   certificate as trusted (system-wide or per user).
 - update the server, to use a cert signed by one of the
   trusted CAs.

Or, depending on the exact transition plan, potentially set:
PYTHONSSLDEFAULT=NOVERIFY (akin to the no, really, don't randomise
the hashes option).

That's the kind of question a PEP would be needed to thrash out, though.

Cheers,
Nick.

-- 
Nick Coghlan   |   ncogh...@gmail.com   |   Brisbane, Australia
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Antoine Pitrou]

On Thu, 23 Jan 2014 01:45:15 -0500
Scott Dial scott+python-...@scottdial.com wrote:
 
 Anecdotally, I already know of a system at work that is using HTTPS
 purely for encryption, because the authentication is done in-band. So, a
 self-signed cert was wholly sufficient. The management tools use a
 RESTful interface over HTTPS for control, but you are telling me this
 will be broken by default now. What do I tell our developers (who often
 adopt the latest and greatest versions of things to play with)?

That the system may be vulnerable to MITM attacks? (depending on how
the authentication is done)

Regards

Antoine.


___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Antoine Pitrou]

On Thu, 23 Jan 2014 06:02:18 +
Kristján Valur Jónsson krist...@ccpgames.com wrote:
 
 If not already possible, I suggest that we allow the use of a certificate 
 validation callback
 (it isn't possible for 2.7, I just hacked in one yesterday to allow me to 
 ignore out-date-failure for certificates.)
 Using this, it would be possible to e.g. emit warnings when certificiate 
 failures occur, rather than deny connection outright.

That's a possible transition measure indeed.

Regards

Antoine.


___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Wes Turner]

On 2014-01-22 9:33 AM, Donald Stufft wrote:
 For everything but pip, you’d add it to your OS cert store. Pip doesn’t
 use that so you’d have to use the —cert config.

 What if I don't want that self-signed cert to be trusted by all users on
the system?

Specify a client cert and an appropriate CA bundle.

 What if I don't have administrative rights?

Specify an appropriate CA bundle for which there are appropriate permissions.

 How do I do it then? Is this common knowledge for average users? Are we 
 trading one big
red box in the documentation for another?

That's really not the case.

Current web browsers are not susceptible to this particular issue.

 Anecdotally, I already know of a system at work that is using HTTPS
 purely for encryption, because the authentication is done in-band. So, a
 self-signed cert was wholly sufficient. The management tools use a
 RESTful interface over HTTPS for control, but you are telling me this
 will be broken by default now. What do I tell our developers (who often
 adopt the latest and greatest versions of things to play with)?

There are layers. OSI layers, if you prefer. It sounds like the
relevant layers here are:

* HTTP
* SSL/TLS
* TCP

A MITM compromise of the channel (e.g. by a rogue security tester
responding with a different SSL certificate that is not signed by a
CA, with a different hostname than requested) renders most 'in-band'
authentication mechanisms (such as HTTP Basic, Digest, and
Cookie-based Sessions) invalid.

'Higher layers' generally operate by sharing tokens as plaintext. With
SSL compromised through a MITM (as allowed by not validating hostnames
by default), said security tester could trivially intercept and modify
any of the requests and responses in the channel.

CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
http://cwe.mitre.org/data/definitions/300.html

To use a bad metaphor: it's like the carrier piegeon stops on the way
home and there's no seal.
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Wes Turner]

 But if it's only the already security-conscious developers and
 managers who go WTF?, and other environments don't do this by default,
 I'd consider that a dangerous curve, slow down sign.

Mitigations:

**Packaging**

  * Upgrade setuptools (distribute, zc.buildout)
  * Avoid easy_install, python setup.py install, and python setup.py develop
(until it can be verified that the installed version of setuptools contains
 VerifyingHTTPSHandler [1])

 
https://bitbucket.org/pypa/setuptools/history-node/tip/setuptools/ssl_support.py

  * +1 for Pip install -e
vcs+ssh://v...@example.org/username/pkgname@semver@egg=pkgname
  * +1 for Conda
  * +1 for OS packages


**Implementation**

* Python  3.4 : https://pypi.python.org/pypi/backports.ssl_match_hostname


**Awareness**

* Big red warning boxes: (.. warning:: in RST): Documentation
* This must not be easy to test.
* 
http://www.cvedetails.com/vulnerability-list/vendor_id-10210/product_id-18230/Python-Python.html


--
Wes Turner


On Thu, Jan 23, 2014 at 3:05 AM, Stephen J. Turnbull step...@xemacs.org wrote:
 Donald Stufft writes:

   As an additional side note, anecdotal evidence and what not, but
   *every* time I bring this up somewhere I get at least one reply
   that looks similar to
   https://twitter.com/ojiidotch/status/425986619879866368

 Hey, wait a cotton-picking minute!

 Are you telling me that Perl, PHP, and Ruby *do* verify certs by
 default in their batteries included stdlibs, and developers using
 those languages have been turning that feature off in their code for,
 like, you know, well, for-EVER man!?  (They surely don't leave it on,
 or my employer would have fixed their broken cert chain and hostnames
 by now.)

 If so, that's evidence for the practicality of the proposal, and maybe
 even for fast-tracking it to catch up.  My employer and the Ministry
 of Education, Culture, Science, and Technology be damned (and they
 will be).

 But if it's only the already security-conscious developers and
 managers who go WTF?, and other environments don't do this by default,
 I'd consider that a dangerous curve, slow down sign.

 ___
 Python-Dev mailing list
 Python-Dev@python.org
 https://mail.python.org/mailman/listinfo/python-dev
 Unsubscribe: 
 https://mail.python.org/mailman/options/python-dev/wes.turner%40gmail.com
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Ethan Furman]

On 01/22/2014 04:15 AM, Donald Stufft wrote:


As I’ve said multiple times, I think it’s fine to send it through the
deprecation process which is still pretty long and gives people
a good chunk of time to update.


Agreed.

--
~Ethan~
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Ethan Furman]

On 01/22/2014 05:16 AM, M.-A. Lemburg wrote:

On 22.01.2014 13:43, Jesse Noller wrote:


Donald is perfectly right: today, it's trivial to MITM an application
 that relies off of the current behavior; this is bad news bears for
 users and developers as it means they need domain knowledge to secure
 their applications by default they may not have.


I don't think you need much domain knowledge to insert
a single line of code into applications to enable the checks.


I find myself on the dumb user side of this argument, and I think it is much like the str/unicode transition of 3.0 -- 
which is it say, there are many who didn't understand unicode until forced to by 3.0, and likewise there will be many 
who don't understand security until forced to by enabling this new feature.  One big difference is it's possible to 
opt-out of this security feature (which is a good thing, considering all the ill-configured systems out there).


--
~Ethan~
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Stephen J. Turnbull]

Wes Turner writes:
   But if it's only the already security-conscious developers and
   managers who go WTF?, and other environments don't do this by default,
   I'd consider that a dangerous curve, slow down sign.
  
  Mitigations:
  
  **Packaging**
  
* Upgrade setuptools (distribute, zc.buildout)
* Avoid easy_install, python setup.py install, and python setup.py develop
  (until it can be verified that the installed version of setuptools 
  contains
   VerifyingHTTPSHandler [1])

Are you kidding?  These *aren't* the apps that I care about breaking,
and I know that the PHBs won't pay attention to what I say about
fixing their sites and cert chains (believe me, I've tried, and the
answer is as Paul Moore says: the users can punch the go ahead anyway
button, what's the big deal here?), they'll just deprecate Python.

My question remains:

   Are you telling me that Perl, PHP, and Ruby *do* verify certs by
   default in their batteries included stdlibs, and developers using
   those languages have been turning that feature off in their code for,
   like, you know, well, for-EVER man!?

I find that hard to believe, given that the security of the network
remains broken yet there aren't warnings out to avoid these platforms.
(BTW, my employer prides itself on being Matz's alma mater ... they
actually might do something if Ruby was breaking things!)
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Donald Stufft]

On Jan 23, 2014, at 10:06 PM, Stephen J. Turnbull step...@xemacs.org wrote:

 Wes Turner writes:
 But if it's only the already security-conscious developers and
 managers who go WTF?, and other environments don't do this by default,
 I'd consider that a dangerous curve, slow down sign.
 
 Mitigations:
 
 **Packaging**
 
  * Upgrade setuptools (distribute, zc.buildout)
  * Avoid easy_install, python setup.py install, and python setup.py develop
(until it can be verified that the installed version of setuptools 
 contains
 VerifyingHTTPSHandler [1])
 
 Are you kidding?  These *aren't* the apps that I care about breaking,
 and I know that the PHBs won't pay attention to what I say about
 fixing their sites and cert chains (believe me, I've tried, and the
 answer is as Paul Moore says: the users can punch the go ahead anyway
 button, what's the big deal here?), they'll just deprecate Python.
 
 My question remains:
 
 Are you telling me that Perl, PHP, and Ruby *do* verify certs by
 default in their batteries included stdlibs, and developers using
 those languages have been turning that feature off in their code for,
 like, you know, well, for-EVER man!?
 
 I find that hard to believe, given that the security of the network
 remains broken yet there aren't warnings out to avoid these platforms.
 (BTW, my employer prides itself on being Matz's alma mater ... they
 actually might do something if Ruby was breaking things!)

Ruby has verified the peer by default since Ruby 1.9

Go also verifies by default, I’m not aware if PHP or Perl do.

-
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Donald Stufft]

On Jan 23, 2014, at 10:09 PM, Donald Stufft don...@stufft.io wrote:

 
 On Jan 23, 2014, at 10:06 PM, Stephen J. Turnbull step...@xemacs.org wrote:
 
 Wes Turner writes:
 But if it's only the already security-conscious developers and
 managers who go WTF?, and other environments don't do this by default,
 I'd consider that a dangerous curve, slow down sign.
 
 Mitigations:
 
 **Packaging**
 
 * Upgrade setuptools (distribute, zc.buildout)
 * Avoid easy_install, python setup.py install, and python setup.py develop
   (until it can be verified that the installed version of setuptools 
 contains
VerifyingHTTPSHandler [1])
 
 Are you kidding?  These *aren't* the apps that I care about breaking,
 and I know that the PHBs won't pay attention to what I say about
 fixing their sites and cert chains (believe me, I've tried, and the
 answer is as Paul Moore says: the users can punch the go ahead anyway
 button, what's the big deal here?), they'll just deprecate Python.
 
 My question remains:
 
 Are you telling me that Perl, PHP, and Ruby *do* verify certs by
 default in their batteries included stdlibs, and developers using
 those languages have been turning that feature off in their code for,
 like, you know, well, for-EVER man!?
 
 I find that hard to believe, given that the security of the network
 remains broken yet there aren't warnings out to avoid these platforms.
 (BTW, my employer prides itself on being Matz's alma mater ... they
 actually might do something if Ruby was breaking things!)
 
 Ruby has verified the peer by default since Ruby 1.9
 
 Go also verifies by default, I’m not aware if PHP or Perl do.

Oh, Node.js also verifies by default, PHP apparently does not.


-
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

[Python-Dev] Enable Hostname and Certificate Chain Validation

[Donald Stufft]

I would like to propose that a backwards incompatible change be
made to Python to make verification of hostname and certificate
chain the default instead of requiring it to be opt in.

Python 3.4 has made great strides in making it easier for applications
to simply turn on these settings, however many people are not aware
at all that they need to opt into this. Most assume that it will operate
similarly to their browser, curl, wget, etc and validate by default and in
the typical style of security related issues it will appear to work just fine
however be grossly insecure.

In the real world “opt in security” typically translates to just plain old 
insecure
for the bulk of applications/libraries. I believe that Python has a 
responsibility
to do the right thing by default here and it is in the best position to do so. 
The
alternative requires every Python developer who wants to access a secure
resource to be educated on the fact that they need to flip some switch to
do what most of them would expect.

-
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[M.-A. Lemburg]

On 22.01.2014 11:30, Donald Stufft wrote:
 I would like to propose that a backwards incompatible change be made to 
 Python to make
 verification of hostname and certificate chain the default instead of 
 requiring it to be opt
 in.
 
 Python 3.4 has made great strides in making it easier for applications to 
 simply turn on these
 settings, however many people are not aware at all that they need to opt into 
 this. Most assume
 that it will operate similarly to their browser, curl, wget, etc and validate 
 by default and
 in the typical style of security related issues it will appear to work just 
 fine however be
 grossly insecure.
 
 In the real world “opt in security” typically translates to just plain old 
 insecure for the
 bulk of applications/libraries. I believe that Python has a responsibility to 
 do the right
 thing by default here and it is in the best position to do so. The 
 alternative requires every
 Python developer who wants to access a secure resource to be educated on the 
 fact that they
 need to flip some switch to do what most of them would expect.

Such a change would introduce considerable breakage. This would either
have to be done using our usual pending deprecation, deprecation, removal
dance (over three releases) or be postponed until Python 4.

Note that several python.org services use CAcerts which would no
longer be accessible per default following such a change.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Jan 22 2014)
 Python Projects, Consulting and Support ...   http://www.egenix.com/ 
 mxODBC.Zope/Plone.Database.Adapter ...   http://zope.egenix.com/ 
 mxODBC, mxDateTime,
 mxTextTools ...http://python.egenix.com/


: Try our mxODBC.Connect Python Database Interface for free ! ::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
   Registered at Amtsgericht Duesseldorf: HRB 46611
   http://www.egenix.com/company/contact/
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Donald Stufft]

On Jan 22, 2014, at 5:51 AM, M.-A. Lemburg m...@egenix.com wrote:

 On 22.01.2014 11:30, Donald Stufft wrote:
 I would like to propose that a backwards incompatible change be made to 
 Python to make
 verification of hostname and certificate chain the default instead of 
 requiring it to be opt
 in.
 
 Python 3.4 has made great strides in making it easier for applications to 
 simply turn on these
 settings, however many people are not aware at all that they need to opt 
 into this. Most assume
 that it will operate similarly to their browser, curl, wget, etc and 
 validate by default and
 in the typical style of security related issues it will appear to work just 
 fine however be
 grossly insecure.
 
 In the real world “opt in security” typically translates to just plain old 
 insecure for the
 bulk of applications/libraries. I believe that Python has a responsibility 
 to do the right
 thing by default here and it is in the best position to do so. The 
 alternative requires every
 Python developer who wants to access a secure resource to be educated on the 
 fact that they
 need to flip some switch to do what most of them would expect.
 
 Such a change would introduce considerable breakage. This would either
 have to be done using our usual pending deprecation, deprecation, removal
 dance (over three releases) or be postponed until Python 4.

I can understand the need for doing the typical deprecation dance, although
I believe such policies are often overlooked or accelerated for security
sensitive changes. I do believe that waiting until Python 4 would be doing
a great disservice to the users of Python though.

 
 Note that several python.org services use CAcerts which would no
 longer be accessible per default following such a change.

Not that it has much to do with this proposal, but those services should
be switched to use certificates that are well trusted.

 
 -- 
 Marc-Andre Lemburg
 eGenix.com
 
 Professional Python Services directly from the Source  (#1, Jan 22 2014)
 Python Projects, Consulting and Support ...   http://www.egenix.com/ 
 mxODBC.Zope/Plone.Database.Adapter ...   http://zope.egenix.com/ 
 mxODBC, mxDateTime,
 mxTextTools ...http://python.egenix.com/
 
 
 : Try our mxODBC.Connect Python Database Interface for free ! ::
 
   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
   Registered at Amtsgericht Duesseldorf: HRB 46611
   http://www.egenix.com/company/contact/


-
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Donald Stufft]

On Jan 22, 2014, at 6:21 AM, Paul Moore p.f.mo...@gmail.com wrote:

 On 22 January 2014 10:30, Donald Stufft don...@stufft.io wrote:
 Python 3.4 has made great strides in making it easier for applications
 to simply turn on these settings, however many people are not aware
 at all that they need to opt into this. Most assume that it will operate
 similarly to their browser, curl, wget, etc and validate by default and in
 the typical style of security related issues it will appear to work just fine
 however be grossly insecure.
 
 Two things:
 
 1. To be like the browser we'd need to use the OS certificate store,
 which isn't the case on Windows at the moment (managing those
 certificate bundle files is most definitely *not* like the browser -
 I'd have no idea how to add a self-certificate to the bundle file
 embedded in pip, for example).

Python 3.4 added the ability to use the OS cert store on Windows,
see http://bugs.python.org/issue17134.

 2. Your proposal is that because some application authors have not
 opted in yet, we should penalise the end users of those applications
 by stopping them being able to use unverified https? And don't forget,
 applications that haven't opted in will have no switch to allow
 unverified use. That seems to be punishing the wrong people.

Some applications will need to be updated yes to provide such a switch
but the alternative is that every user of this API needs to configure it
to verify certificates. The difference is that with my proposal the error
condition is very obvious, the SSL certificate will fail to validate, a bug
can be filed and it can be fixed. With the current behavior they only
way you’d know is if you expected it to fail and didn’t, or you went
specifically looking.

It’s a dangerous by default API that punishes people for not knowing
that they need to turn it on, and punishes people who use those
applications. However it won’t punish them directly, instead it’ll just
make it possible to MITM their connection, possibly leaking sensitive
material.


-
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[M.-A. Lemburg]

On 22.01.2014 11:56, Donald Stufft wrote:
 
 On Jan 22, 2014, at 5:51 AM, M.-A. Lemburg m...@egenix.com wrote:
 
 On 22.01.2014 11:30, Donald Stufft wrote:
 I would like to propose that a backwards incompatible change be made to 
 Python to make
 verification of hostname and certificate chain the default instead of 
 requiring it to be opt
 in.

 Python 3.4 has made great strides in making it easier for applications to 
 simply turn on these
 settings, however many people are not aware at all that they need to opt 
 into this. Most assume
 that it will operate similarly to their browser, curl, wget, etc and 
 validate by default and
 in the typical style of security related issues it will appear to work just 
 fine however be
 grossly insecure.

 In the real world “opt in security” typically translates to just plain old 
 insecure for the
 bulk of applications/libraries. I believe that Python has a responsibility 
 to do the right
 thing by default here and it is in the best position to do so. The 
 alternative requires every
 Python developer who wants to access a secure resource to be educated on 
 the fact that they
 need to flip some switch to do what most of them would expect.

 Such a change would introduce considerable breakage. This would either
 have to be done using our usual pending deprecation, deprecation, removal
 dance (over three releases) or be postponed until Python 4.
 
 I can understand the need for doing the typical deprecation dance, although
 I believe such policies are often overlooked or accelerated for security
 sensitive changes. I do believe that waiting until Python 4 would be doing
 a great disservice to the users of Python though.

Well, it's not really a security issue, since the security features
are present in Python 3.4. It's just that the user has to enable them.

 Note that several python.org services use CAcerts which would no
 longer be accessible per default following such a change.
 
 Not that it has much to do with this proposal, but those services should
 be switched to use certificates that are well trusted.

Oh, it does have to do with the proposal, since it's a prominent
example of services that would no longer work. While we can potentially
change the situation for python.org servers, you have the same issues
with other services which we don't have any influence on.

The change would also disable all services using self-signed
certificates which are very common in internal networks and
for ad-hoc setups. Many routers and other devices use self-signed
certificates when offering HTTPS services.

I think overall, it's good to have default security, but locking out
all certificates which do not have their root CA certs installed
in default installations of systems per default would likely lead to
people seeking other more insecure ways of getting things to work,
rather than asking their admins to add their CA certs to the certificate
chain configuration. So I'm not sure whether raising errors is the
best way to achieve better default security. Perhaps just using
warnings would be better.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Jan 22 2014)
 Python Projects, Consulting and Support ...   http://www.egenix.com/
 mxODBC.Zope/Plone.Database.Adapter ...   http://zope.egenix.com/
 mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/


: Try our mxODBC.Connect Python Database Interface for free ! ::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
   Registered at Amtsgericht Duesseldorf: HRB 46611
   http://www.egenix.com/company/contact/
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Donald Stufft]

On Jan 22, 2014, at 6:30 AM, M.-A. Lemburg m...@egenix.com wrote:

 On 22.01.2014 11:56, Donald Stufft wrote:
 
 On Jan 22, 2014, at 5:51 AM, M.-A. Lemburg m...@egenix.com wrote:
 
 On 22.01.2014 11:30, Donald Stufft wrote:
 I would like to propose that a backwards incompatible change be made to 
 Python to make
 verification of hostname and certificate chain the default instead of 
 requiring it to be opt
 in.
 
 Python 3.4 has made great strides in making it easier for applications to 
 simply turn on these
 settings, however many people are not aware at all that they need to opt 
 into this. Most assume
 that it will operate similarly to their browser, curl, wget, etc and 
 validate by default and
 in the typical style of security related issues it will appear to work 
 just fine however be
 grossly insecure.
 
 In the real world “opt in security” typically translates to just plain old 
 insecure for the
 bulk of applications/libraries. I believe that Python has a responsibility 
 to do the right
 thing by default here and it is in the best position to do so. The 
 alternative requires every
 Python developer who wants to access a secure resource to be educated on 
 the fact that they
 need to flip some switch to do what most of them would expect.
 
 Such a change would introduce considerable breakage. This would either
 have to be done using our usual pending deprecation, deprecation, removal
 dance (over three releases) or be postponed until Python 4.
 
 I can understand the need for doing the typical deprecation dance, although
 I believe such policies are often overlooked or accelerated for security
 sensitive changes. I do believe that waiting until Python 4 would be doing
 a great disservice to the users of Python though.
 
 Well, it's not really a security issue, since the security features
 are present in Python 3.4. It's just that the user has to enable them.

I explicitly didn’t call it a security issue, but rather a security sensitive
change, which it is. This would effectively be making Python more
secure by default and removing a security related footgun.

 
 Note that several python.org services use CAcerts which would no
 longer be accessible per default following such a change.
 
 Not that it has much to do with this proposal, but those services should
 be switched to use certificates that are well trusted.
 
 Oh, it does have to do with the proposal, since it's a prominent
 example of services that would no longer work. While we can potentially
 change the situation for python.org servers, you have the same issues
 with other services which we don't have any influence on.

I meant the statement that they should be switched to a well trusted
certificate didn’t have much to do with this proposal. 

 
 The change would also disable all services using self-signed
 certificates which are very common in internal networks and
 for ad-hoc setups. Many routers and other devices use self-signed
 certificates when offering HTTPS services.

It will just disable them by default, they can still easily be accessed
you’d just need to pass the “do not verify” flag. This clearly indicates
that you’re opting out of the S in HTTPS.

 
 I think overall, it's good to have default security, but locking out
 all certificates which do not have their root CA certs installed
 in default installations of systems per default would likely lead to
 people seeking other more insecure ways of getting things to work,
 rather than asking their admins to add their CA certs to the certificate
 chain configuration. So I'm not sure whether raising errors is the
 best way to achieve better default security. Perhaps just using
 warnings would be better.

Again it’s not “locking out”, it’s simply “requires explicitly saying
I want to not validate”.

It’s hard to be more insecure than not verifying. Just about the only
other way is to use plaintext but the only real difference there is
passive vs attack attacks. However typically if you’re in the situation
to do a passive attack you can also do an active attack. So “more
insecure” is minorly more insecure while an error is drastically
more secure.

 
 -- 
 Marc-Andre Lemburg
 eGenix.com
 
 Professional Python Services directly from the Source  (#1, Jan 22 2014)
 Python Projects, Consulting and Support ...   http://www.egenix.com/
 mxODBC.Zope/Plone.Database.Adapter ...   http://zope.egenix.com/
 mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/
 
 
 : Try our mxODBC.Connect Python Database Interface for free ! ::
 
   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
   Registered at Amtsgericht Duesseldorf: HRB 46611
   http://www.egenix.com/company/contact/


-
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Donald Stufft]

On Jan 22, 2014, at 6:21 AM, Paul Moore p.f.mo...@gmail.com wrote:

 2. Your proposal is that because some application authors have not
 opted in yet, we should penalise the end users of those applications
 by stopping them being able to use unverified https? And don't forget,
 applications that haven't opted in will have no switch to allow
 unverified use. That seems to be punishing the wrong people.

Another thought, if this is seriously a blocker something simple like
an environment variable could be added that switches the default.
Which would act as a global sort of —insecure flag for applications
that don’t provide one. I really don’t like the idea of doing that, but
it would be better than not validating by default.

-
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Nick Coghlan]

On 22 January 2014 21:21, Paul Moore p.f.mo...@gmail.com wrote:
 On 22 January 2014 10:30, Donald Stufft don...@stufft.io wrote:
 Python 3.4 has made great strides in making it easier for applications
 to simply turn on these settings, however many people are not aware
 at all that they need to opt into this. Most assume that it will operate
 similarly to their browser, curl, wget, etc and validate by default and in
 the typical style of security related issues it will appear to work just fine
 however be grossly insecure.

 Two things:

 1. To be like the browser we'd need to use the OS certificate store,
 which isn't the case on Windows at the moment (managing those
 certificate bundle files is most definitely *not* like the browser -
 I'd have no idea how to add a self-certificate to the bundle file
 embedded in pip, for example).
 2. Your proposal is that because some application authors have not
 opted in yet, we should penalise the end users of those applications
 by stopping them being able to use unverified https? And don't forget,
 applications that haven't opted in will have no switch to allow
 unverified use. That seems to be punishing the wrong people.

Right, the browsers have a whole system of click through security to
make the web (and corporate intranets!) still usable even when they
only accept CA signed certs by default. With a programming language,
there's no such interactivity, so applications just break and users
don't know why.

It's notable that even Linux distros haven't made this change in their
system Python builds, and commercial Linux distros have raised
paranoia to an art form (since that's a respectable chunk of what
their users are paying for).

We also have to account for the fact that an awful lot of Python
applications are corporate ones relying on perimeter defence for
security, or private CAs, or just self-signed certificates that their
users have already accepted. There are limits to the amount of
backwards incompatible change users will tolerate, and at this point
in time we're still trying to get people to accept proper Unicode
support.

Even the package distribution tools are struggling with the
consequences of trying to lock things down by default - every new
release of pip currently brings someone else out of the woodwork
pointing out they were relying on whichever insecure default we have
changed on them this time.

Securing the web is a boil the ocean type task - Python 3.4 takes us
a step closer by making it possible for people to easily use the
system certs via ssl.create_default_context()
(http://docs.python.org/dev/library/ssl.html#ssl.create_default_context),
but move fast and break things isn't going to work on this one any
more than it does for proper Unicode support or the IPv4 to IPv6
transition. Security concerns are too abstract for most people for
them to accept it as an excuse when you tell them you broke their
software for their own good.

The only before-Python-4 approach I can potentially see working is this:

1. Provide ssl.create_default_context() in 3.4 (done)
2. Deprecate the implicit SSL context in 3.5
3. Remove the implicit SSL context in 3.6
4. Make the default context the implicit context in 3.7

It would be slow, but we *could* get there. You *might* even be able
to make the case for collapsing steps 3 and 4 together so that the
more secure default is brought in as part of 3.6 in 2017.

I'd suggest a PEP along those lines, but I think you already have
plenty to keep you busy helping to ride herd on the packaging
ecosystem :)

In the meantime, making it so that it *is* just a single additional
function call to get proper TLS security settings in 3.4 is a major
step forward (thanks Christian!).

Cheers,
Nick.


-- 
Nick Coghlan   |   ncogh...@gmail.com   |   Brisbane, Australia
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[M.-A. Lemburg]

On 22.01.2014 12:36, Donald Stufft wrote:
 
 On Jan 22, 2014, at 6:30 AM, M.-A. Lemburg m...@egenix.com wrote:
 The change would also disable all services using self-signed
 certificates which are very common in internal networks and
 for ad-hoc setups. Many routers and other devices use self-signed
 certificates when offering HTTPS services.
 
 It will just disable them by default, they can still easily be accessed
 you’d just need to pass the “do not verify” flag. This clearly indicates
 that you’re opting out of the S in HTTPS.
 

 I think overall, it's good to have default security, but locking out
 all certificates which do not have their root CA certs installed
 in default installations of systems per default would likely lead to
 people seeking other more insecure ways of getting things to work,
 rather than asking their admins to add their CA certs to the certificate
 chain configuration. So I'm not sure whether raising errors is the
 best way to achieve better default security. Perhaps just using
 warnings would be better.
 
 Again it’s not “locking out”, it’s simply “requires explicitly saying
 I want to not validate”.

This would have to configurable without changing application code,
e.g. using an environment settings.

Otherwise, you do lock out existing scripts and applications from
using Python 3.6 by requiring supporting custom configurations
from all of them.

Simply saying: oh, just change your code to never validate is not
a good solution either.

 It’s hard to be more insecure than not verifying. Just about the only
 other way is to use plaintext but the only real difference there is
 passive vs attack attacks. However typically if you’re in the situation
 to do a passive attack you can also do an active attack. So “more
 insecure” is minorly more insecure while an error is drastically
 more secure.

I disagree with that statement. Using HTTPS without verification
is still far more secure than using plain text.

I know that verification is a lot better, but please remember
that practicality beats purity.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Jan 22 2014)
 Python Projects, Consulting and Support ...   http://www.egenix.com/
 mxODBC.Zope/Plone.Database.Adapter ...   http://zope.egenix.com/
 mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/


: Try our mxODBC.Connect Python Database Interface for free ! ::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
   Registered at Amtsgericht Duesseldorf: HRB 46611
   http://www.egenix.com/company/contact/
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Nick Coghlan]

On 22 January 2014 21:36, Donald Stufft don...@stufft.io wrote:
 On Jan 22, 2014, at 6:30 AM, M.-A. Lemburg m...@egenix.com wrote:
 The change would also disable all services using self-signed
 certificates which are very common in internal networks and
 for ad-hoc setups. Many routers and other devices use self-signed
 certificates when offering HTTPS services.

 It will just disable them by default, they can still easily be accessed
 you’d just need to pass the “do not verify” flag. This clearly indicates
 that you’re opting out of the S in HTTPS.

You need to remember that *Python is fundamentally not an
application*. We don't control the interaction with the user,
application developers do, and every decision we make has to take that
into account.

The kinds of decisions that an application like a web browser or a
package installer can make aren't necessarily available to a runtime.
We had to be cautious even with the initial hash randomisation change
to avoid breaking currently working applications.

Look at the anger that people express about us making Python 3 more
sensitive to environment misconfiguration on POSIX systems: people
don't blame the misconfigured environment that Python 2 tolerated with
an increased risk of data corruption, they blame *us* for breaking
something that used to work by default.

The change you're proposing would mean that *every* Python application
would either need to be updated to explicitly opt in to insecurity
(the path most of them will take, because humans) or else to provide a
set this option to make your computer work again insecurity flag
(which is a bad idea anyway, again because humans).

There are currently still too many valid reasons for not using
verified SSL for us to realistically make it the default without a
seriously long transition period (not quite IPv6 or even Python 3
long, but certainly not as short as the time period involved in
introducing hash randomisation).

Regards,
Nick.

-- 
Nick Coghlan   |   ncogh...@gmail.com   |   Brisbane, Australia
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Donald Stufft]

On Jan 22, 2014, at 6:45 AM, Nick Coghlan ncogh...@gmail.com wrote:

 On 22 January 2014 21:21, Paul Moore p.f.mo...@gmail.com wrote:
 On 22 January 2014 10:30, Donald Stufft don...@stufft.io wrote:
 Python 3.4 has made great strides in making it easier for applications
 to simply turn on these settings, however many people are not aware
 at all that they need to opt into this. Most assume that it will operate
 similarly to their browser, curl, wget, etc and validate by default and in
 the typical style of security related issues it will appear to work just 
 fine
 however be grossly insecure.
 
 Two things:
 
 1. To be like the browser we'd need to use the OS certificate store,
 which isn't the case on Windows at the moment (managing those
 certificate bundle files is most definitely *not* like the browser -
 I'd have no idea how to add a self-certificate to the bundle file
 embedded in pip, for example).
 2. Your proposal is that because some application authors have not
 opted in yet, we should penalise the end users of those applications
 by stopping them being able to use unverified https? And don't forget,
 applications that haven't opted in will have no switch to allow
 unverified use. That seems to be punishing the wrong people.
 
 Right, the browsers have a whole system of click through security to
 make the web (and corporate intranets!) still usable even when they
 only accept CA signed certs by default. With a programming language,
 there's no such interactivity, so applications just break and users
 don't know why.
 
 It's notable that even Linux distros haven't made this change in their
 system Python builds, and commercial Linux distros have raised
 paranoia to an art form (since that's a respectable chunk of what
 their users are paying for).

I was actually talking to a Debian maintainer about the likelihood
of making this change there earlier today :) If I fail at making this
change in upstream I’ll be lobbying downstream and then we’ll
just have different behaviors based on where you get your Python
from which I think stinks.

 
 We also have to account for the fact that an awful lot of Python
 applications are corporate ones relying on perimeter defence for
 security, or private CAs, or just self-signed certificates that their
 users have already accepted. There are limits to the amount of
 backwards incompatible change users will tolerate, and at this point
 in time we're still trying to get people to accept proper Unicode
 support.

Most of those add their private CAs to the system cert stores
which would still work fine. I don’t think this change is one that
users would be very upset about. We received very positive
feedback in doing similar for Pip and we did break things for
a few people.

 
 Even the package distribution tools are struggling with the
 consequences of trying to lock things down by default - every new
 release of pip currently brings someone else out of the woodwork
 pointing out they were relying on whichever insecure default we have
 changed on them this time.

Again speaking to the packaging tools, the switch to verifying SSL
was very well tolerated, it was other changes that are unrelated
this this proposal that have caused the bulk of the issues.

 
 Securing the web is a boil the ocean type task - Python 3.4 takes us
 a step closer by making it possible for people to easily use the
 system certs via ssl.create_default_context()
 (http://docs.python.org/dev/library/ssl.html#ssl.create_default_context),
 but move fast and break things isn't going to work on this one any
 more than it does for proper Unicode support or the IPv4 to IPv6
 transition. Security concerns are too abstract for most people for
 them to accept it as an excuse when you tell them you broke their
 software for their own good.

Calling this a “boil the ocean” type task is facetious. Yes securing the
web as a whole would be like boiling the ocean, but enabling TLS
validation by default is like basic 101 level.

 
 The only before-Python-4 approach I can potentially see working is this:
 
 1. Provide ssl.create_default_context() in 3.4 (done)
 2. Deprecate the implicit SSL context in 3.5
 3. Remove the implicit SSL context in 3.6
 4. Make the default context the implicit context in 3.7
 
 It would be slow, but we *could* get there. You *might* even be able
 to make the case for collapsing steps 3 and 4 together so that the
 more secure default is brought in as part of 3.6 in 2017.

This would be OK, obviously i’d prefer it to happen on as quickly
as timeline as possible but like I said earlier I can totally see
the need to have the deprecation process.

 
 I'd suggest a PEP along those lines, but I think you already have
 plenty to keep you busy helping to ride herd on the packaging
 ecosystem :)

If a PEP is required for this I’ll write one. I have no idea what
changes need a PEP or not and I default to not writing one
because it’s easier :)

 
 In the meantime, making it so that it *is* 

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Donald Stufft]

On Jan 22, 2014, at 7:03 AM, Paul Moore p.f.mo...@gmail.com wrote:

 On 22 January 2014 11:29, Donald Stufft don...@stufft.io wrote:
 1. To be like the browser we'd need to use the OS certificate store,
 which isn't the case on Windows at the moment (managing those
 certificate bundle files is most definitely *not* like the browser -
 I'd have no idea how to add a self-certificate to the bundle file
 embedded in pip, for example).
 
 Python 3.4 added the ability to use the OS cert store on Windows,
 see http://bugs.python.org/issue17134.
 
 Brilliant. I didn't know that.
 
 Will pip when run on Python 3.4 use the OS cert store? I guess the
 answer is probably no (but i'd love to be pleasantly surprised).
 
 Paul

The answer is (I believe) no, mostly for consistency’s sake.

-
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Paul Moore]

On 22 January 2014 11:29, Donald Stufft don...@stufft.io wrote:
 1. To be like the browser we'd need to use the OS certificate store,
 which isn't the case on Windows at the moment (managing those
 certificate bundle files is most definitely *not* like the browser -
 I'd have no idea how to add a self-certificate to the bundle file
 embedded in pip, for example).

 Python 3.4 added the ability to use the OS cert store on Windows,
 see http://bugs.python.org/issue17134.

Brilliant. I didn't know that.

Will pip when run on Python 3.4 use the OS cert store? I guess the
answer is probably no (but i'd love to be pleasantly surprised).

Paul
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Donald Stufft]

On Jan 22, 2014, at 6:58 AM, Nick Coghlan ncogh...@gmail.com wrote:

 On 22 January 2014 21:36, Donald Stufft don...@stufft.io wrote:
 On Jan 22, 2014, at 6:30 AM, M.-A. Lemburg m...@egenix.com wrote:
 The change would also disable all services using self-signed
 certificates which are very common in internal networks and
 for ad-hoc setups. Many routers and other devices use self-signed
 certificates when offering HTTPS services.
 
 It will just disable them by default, they can still easily be accessed
 you’d just need to pass the “do not verify” flag. This clearly indicates
 that you’re opting out of the S in HTTPS.
 
 You need to remember that *Python is fundamentally not an
 application*. We don't control the interaction with the user,
 application developers do, and every decision we make has to take that
 into account.
 
 The kinds of decisions that an application like a web browser or a
 package installer can make aren't necessarily available to a runtime.
 We had to be cautious even with the initial hash randomisation change
 to avoid breaking currently working applications.

The same could be said for requests, it’s fundamentally not an application
and can’t control the interaction with the user and yet it validates TLS by
default just fine.

 
 Look at the anger that people express about us making Python 3 more
 sensitive to environment misconfiguration on POSIX systems: people
 don't blame the misconfigured environment that Python 2 tolerated with
 an increased risk of data corruption, they blame *us* for breaking
 something that used to work by default.

They blame Python for breaking something that used to work by default
for something they feel has little or no benefit, and which is also difficult
or impossible to adapt to without often significant code changes (for
the people who I’ve seen blaming Python dev for).

Do you really think those people would be making the same complaints
if they could restore the previous behavior with a simple boolean flag
delivered either via environment variable or in their own code?

 
 The change you're proposing would mean that *every* Python application
 would either need to be updated to explicitly opt in to insecurity
 (the path most of them will take, because humans) or else to provide a
 set this option to make your computer work again insecurity flag
 (which is a bad idea anyway, again because humans).

Every Python application *that depends on an invalid certificate* and is
written for Python3. It’s not hardly every Python application since a
good majority of them will simply continue working, and given that
most Python applications are still written for Python2 it’s not even
something that is going to affect the bulk of *Python* applications.

 
 There are currently still too many valid reasons for not using
 verified SSL for us to realistically make it the default without a
 seriously long transition period (not quite IPv6 or even Python 3
 long, but certainly not as short as the time period involved in
 introducing hash randomisation).

As I’ve said multiple times, I think it’s fine to send it through the
deprecation process which is still pretty long and gives people
a good chunk of time to update.

 
 Regards,
 Nick.
 
 -- 
 Nick Coghlan   |   ncogh...@gmail.com   |   Brisbane, Australia


-
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Paul Moore]

On 22 January 2014 12:02, Donald Stufft don...@stufft.io wrote:
 We also have to account for the fact that an awful lot of Python
 applications are corporate ones relying on perimeter defence for
 security, or private CAs, or just self-signed certificates that their
 users have already accepted. There are limits to the amount of
 backwards incompatible change users will tolerate, and at this point
 in time we're still trying to get people to accept proper Unicode
 support.

 Most of those add their private CAs to the system cert stores
 which would still work fine. I don’t think this change is one that
 users would be very upset about. We received very positive
 feedback in doing similar for Pip and we did break things for
 a few people.

Speaking as someone whose day job consists entirely of working in a
corporate behind the firewall environment, in my experience this is
simply wrong. Most companies do *not* add private or self certificates
to the system stores. Rather, they expect their end users to click on
Yes, Allow in the browser *every* *time* they access the webpage. In
many cases even the local PC store and exception list is locked down,
so the user has no way of even avoiding this on a local basis. Python
and applications built on Python are often used unofficially in such
organisations for productivity-enhancing applications. Because it's
unofficial, it's often latest versions. Because it's to improve
productivity, grabbing existing apps and libraries and having them
work rather than writing your own is crucial.

Seriously - the security viewpoints I'm seeing here are so far from
corporate life that it's ridiculous. (But to be fair to corporate
environments, the firewalls involved mean that the systems involved
often have so little internet access that you can essentially ignore
anything other than internal threats).

Paul
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Jesse Noller]

 On Jan 22, 2014, at 5:30 AM, M.-A. Lemburg m...@egenix.com wrote:
 
 On 22.01.2014 11:56, Donald Stufft wrote:
 
 On Jan 22, 2014, at 5:51 AM, M.-A. Lemburg m...@egenix.com wrote:
 
 On 22.01.2014 11:30, Donald Stufft wrote:
 I would like to propose that a backwards incompatible change be made to 
 Python to make
 verification of hostname and certificate chain the default instead of 
 requiring it to be opt
 in.
 
 Python 3.4 has made great strides in making it easier for applications to 
 simply turn on these
 settings, however many people are not aware at all that they need to opt 
 into this. Most assume
 that it will operate similarly to their browser, curl, wget, etc and 
 validate by default and
 in the typical style of security related issues it will appear to work 
 just fine however be
 grossly insecure.
 
 In the real world “opt in security” typically translates to just plain old 
 insecure for the
 bulk of applications/libraries. I believe that Python has a responsibility 
 to do the right
 thing by default here and it is in the best position to do so. The 
 alternative requires every
 Python developer who wants to access a secure resource to be educated on 
 the fact that they
 need to flip some switch to do what most of them would expect.
 
 Such a change would introduce considerable breakage. This would either
 have to be done using our usual pending deprecation, deprecation, removal
 dance (over three releases) or be postponed until Python 4.
 
 I can understand the need for doing the typical deprecation dance, although
 I believe such policies are often overlooked or accelerated for security
 sensitive changes. I do believe that waiting until Python 4 would be doing
 a great disservice to the users of Python though.
 
 Well, it's not really a security issue, since the security features
 are present in Python 3.4. It's just that the user has to enable them.

I have to concur with Donald here - in the case of security, especially 
language security which directly impacts the implicit security of downstream 
applications, I should not have to opt in to the most secure defaults.

Yes; this potentially breaks applications relying on insecure / loose defaults. 
However it changes the model to you are by default, explicitly secure then 
relying on the domain knowledge of an application developer to harden their 
application.

When, if this changes, an application breaks, it will be in a plainly obvious 
way which can quickly be resolved.

Donald is perfectly right: today, it's trivial to MITM an application that 
relies off of the current behavior; this is bad news bears for users and 
developers as it means they need domain knowledge to secure their applications 
by default they may not have.


 
 Note that several python.org services use CAcerts which would no
 longer be accessible per default following such a change.
 
 Not that it has much to do with this proposal, but those services should
 be switched to use certificates that are well trusted.
 
 Oh, it does have to do with the proposal, since it's a prominent
 example of services that would no longer work. While we can potentially
 change the situation for python.org servers, you have the same issues
 with other services which we don't have any influence on.
 
 The change would also disable all services using self-signed
 certificates which are very common in internal networks and
 for ad-hoc setups. Many routers and other devices use self-signed
 certificates when offering HTTPS services.
 
 I think overall, it's good to have default security, but locking out
 all certificates which do not have their root CA certs installed
 in default installations of systems per default would likely lead to
 people seeking other more insecure ways of getting things to work,
 rather than asking their admins to add their CA certs to the certificate
 chain configuration. So I'm not sure whether raising errors is the
 best way to achieve better default security. Perhaps just using
 warnings would be better.
 
 -- 
 Marc-Andre Lemburg
 eGenix.com
 
 Professional Python Services directly from the Source  (#1, Jan 22 2014)
 Python Projects, Consulting and Support ...   http://www.egenix.com/
 mxODBC.Zope/Plone.Database.Adapter ...   http://zope.egenix.com/
 mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/
 
 
 : Try our mxODBC.Connect Python Database Interface for free ! ::
 
   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
   Registered at Amtsgericht Duesseldorf: HRB 46611
   http://www.egenix.com/company/contact/
 ___
 Python-Dev mailing list
 Python-Dev@python.org
 https://mail.python.org/mailman/listinfo/python-dev
 Unsubscribe: 
 https://mail.python.org/mailman/options/python-dev/jnoller%40gmail.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Chris Angelico]

On Wed, Jan 22, 2014 at 11:15 PM, Donald Stufft don...@stufft.io wrote:
 Do you really think those people would be making the same complaints
 if they could restore the previous behavior with a simple boolean flag
 delivered either via environment variable or in their own code?

You assume that it's easy to tweak the code. From personal experience
just today I can say that this isn't always the case. I was asked a
question about an internal program that had been in use since the late
1990s, and which had originally been written to work with Netscape
Navigator and had been updated to work with Firefox, but not Chrome.
The original author is still around, but it's too much hassle to get
that code dug into, so it's far easier just to accept a small issue
with Chrome (since the program's not used very often anyway). But if
Chrome had completely broken that program, the solution would simply
be keep using Firefox, not fix the program - it's not considered a
bug.

Now, maybe it wouldn't be a problem if the fix is an environment
variable, but imagine a thousand-computer deployment and you have to
tweak the environment on all of them. Feel like doing that just
because the newest Python needs it? Not so much.

ChrisA
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Nick Coghlan]

On 22 January 2014 22:15, Donald Stufft don...@stufft.io wrote:

 On Jan 22, 2014, at 6:58 AM, Nick Coghlan ncogh...@gmail.com wrote:

 The kinds of decisions that an application like a web browser or a
 package installer can make aren't necessarily available to a runtime.
 We had to be cautious even with the initial hash randomisation change
 to avoid breaking currently working applications.

 The same could be said for requests, it’s fundamentally not an application
 and can’t control the interaction with the user and yet it validates TLS by
 default just fine.

The requests library is used by a relatively small fraction of the
Python community, and they're mostly web specialists that already
understand the need for TLS-by-default and hence don't need it
carefully explained to them. New users adopting it just treat that as
the way that requests works and not something the language
developers are forcing on them.

 Look at the anger that people express about us making Python 3 more
 sensitive to environment misconfiguration on POSIX systems: people
 don't blame the misconfigured environment that Python 2 tolerated with
 an increased risk of data corruption, they blame *us* for breaking
 something that used to work by default.

 They blame Python for breaking something that used to work by default
 for something they feel has little or no benefit, and which is also difficult
 or impossible to adapt to without often significant code changes (for
 the people who I’ve seen blaming Python dev for).

Which is exactly the way most non-web-specialists working inside the
comfort of corporate and academic firewalls will react to a change
that breaks their access to internal applications, where self-signed
certs and improperly configured internal CAs are endemic (of course,
that's assuming they're using HTTPS at all, which I admit is an
optimistic assumption).

 There are currently still too many valid reasons for not using
 verified SSL for us to realistically make it the default without a
 seriously long transition period (not quite IPv6 or even Python 3
 long, but certainly not as short as the time period involved in
 introducing hash randomisation).

 As I’ve said multiple times, I think it’s fine to send it through the
 deprecation process which is still pretty long and gives people
 a good chunk of time to update.

Then I don't believe we actually have an argument here.

Create the PEP with the rationale (written in terms a
non-web-specialist can understand) and the deprecation strategy, and
we can consider adding the initial deprecation warning in 3.5 next
year. So, no rush on getting the PEP together :)

Cheers,
Nick.

-- 
Nick Coghlan   |   ncogh...@gmail.com   |   Brisbane, Australia
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Antoine Pitrou]

On Wed, 22 Jan 2014 05:30:40 -0500
Donald Stufft don...@stufft.io wrote:
 I would like to propose that a backwards incompatible change be
 made to Python to make verification of hostname and certificate
 chain the default instead of requiring it to be opt in.
 
 Python 3.4 has made great strides in making it easier for applications
 to simply turn on these settings, however many people are not aware
 at all that they need to opt into this. Most assume that it will operate
 similarly to their browser, curl, wget, etc

Python is not a Web client. Are you talking specifically about urllib?

Regards

Antoine.


___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Nick Coghlan]

On 22 January 2014 23:19, Antoine Pitrou solip...@pitrou.net wrote:
 On Wed, 22 Jan 2014 05:30:40 -0500
 Donald Stufft don...@stufft.io wrote:
 I would like to propose that a backwards incompatible change be
 made to Python to make verification of hostname and certificate
 chain the default instead of requiring it to be opt in.

 Python 3.4 has made great strides in making it easier for applications
 to simply turn on these settings, however many people are not aware
 at all that they need to opt into this. Most assume that it will operate
 similarly to their browser, curl, wget, etc

 Python is not a Web client. Are you talking specifically about urllib?

And all the other client modules that can make secure network
connections (but don't validate that the certificate matches the
hostname by default).

Cheers,
Nick.

-- 
Nick Coghlan   |   ncogh...@gmail.com   |   Brisbane, Australia
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Christian Heimes]

On 22.01.2014 12:45, Nick Coghlan wrote:
 We also have to account for the fact that an awful lot of Python
 applications are corporate ones relying on perimeter defence for
 security, or private CAs, or just self-signed certificates that their
 users have already accepted. There are limits to the amount of
 backwards incompatible change users will tolerate, and at this point
 in time we're still trying to get people to accept proper Unicode
 support.

Side note:
Users can simple add self-signed certs to OpenSSL's cert store and get
validation for free. It's possible to do that with an environment
variable, too. But I recommend against the environment variable because
you may overwrite to operating store.

Christian


___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Donald Stufft]

On Jan 22, 2014, at 8:29 AM, Christian Heimes christ...@python.org wrote:

 On 22.01.2014 12:45, Nick Coghlan wrote:
 We also have to account for the fact that an awful lot of Python
 applications are corporate ones relying on perimeter defence for
 security, or private CAs, or just self-signed certificates that their
 users have already accepted. There are limits to the amount of
 backwards incompatible change users will tolerate, and at this point
 in time we're still trying to get people to accept proper Unicode
 support.
 
 Side note:
 Users can simple add self-signed certs to OpenSSL's cert store and get
 validation for free. It's possible to do that with an environment
 variable, too. But I recommend against the environment variable because
 you may overwrite to operating store.
 
 Christian
 
 
 ___
 Python-Dev mailing list
 Python-Dev@python.org
 https://mail.python.org/mailman/listinfo/python-dev
 Unsubscribe: 
 https://mail.python.org/mailman/options/python-dev/donald%40stufft.io

As an additional side note, anecdotal evidence and what not, but
*every* time I bring this up somewhere I get at least one reply that
looks similar to https://twitter.com/ojiidotch/status/425986619879866368

-
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Christian Heimes]

On 22.01.2014 14:55, Donald Stufft wrote:
 As an additional side note, anecdotal evidence and what not, but 
 *every* time I bring this up somewhere I get at least one reply
 that looks similar to
 https://twitter.com/ojiidotch/status/425986619879866368


Yeah :(

The ssl module documentation http://docs.python.org/3/library/ssl.html
features a big red warning box for a good reason.
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Jesse Noller]

 On Jan 22, 2014, at 6:58 AM, Chris Angelico ros...@gmail.com wrote:
 
 On Wed, Jan 22, 2014 at 11:15 PM, Donald Stufft don...@stufft.io wrote:
 Do you really think those people would be making the same complaints
 if they could restore the previous behavior with a simple boolean flag
 delivered either via environment variable or in their own code?
 
 You assume that it's easy to tweak the code. From personal experience
 just today I can say that this isn't always the case. I was asked a
 question about an internal program that had been in use since the late
 1990s, and which had originally been written to work with Netscape
 Navigator and had been updated to work with Firefox, but not Chrome.
 The original author is still around, but it's too much hassle to get
 that code dug into, so it's far easier just to accept a small issue
 with Chrome (since the program's not used very often anyway). But if
 Chrome had completely broken that program, the solution would simply
 be keep using Firefox, not fix the program - it's not considered a
 bug.
 
 Now, maybe it wouldn't be a problem if the fix is an environment
 variable, but imagine a thousand-computer deployment and you have to
 tweak the environment on all of them. Feel like doing that just
 because the newest Python needs it? Not so much.
 

What's the bet that that application will be ported to python 3.4/3.5 if this 
is the case? I'd say approaching 0, which is ok.

 ChrisA
 ___
 Python-Dev mailing list
 Python-Dev@python.org
 https://mail.python.org/mailman/listinfo/python-dev
 Unsubscribe: 
 https://mail.python.org/mailman/options/python-dev/jnoller%40gmail.com
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Christian Heimes]

On 22.01.2014 14:24, Nick Coghlan wrote:
 On 22 January 2014 23:19, Antoine Pitrou solip...@pitrou.net wrote:
 On Wed, 22 Jan 2014 05:30:40 -0500
 Donald Stufft don...@stufft.io wrote:
 I would like to propose that a backwards incompatible change be
 made to Python to make verification of hostname and certificate
 chain the default instead of requiring it to be opt in.

 Python 3.4 has made great strides in making it easier for applications
 to simply turn on these settings, however many people are not aware
 at all that they need to opt into this. Most assume that it will operate
 similarly to their browser, curl, wget, etc

 Python is not a Web client. Are you talking specifically about urllib?
 
 And all the other client modules that can make secure network
 connections (but don't validate that the certificate matches the
 hostname by default).

With Python 3.4 all stdlib modules can verify the hostname and in fact
do with ssl.create_default_context(). Several modules like ftplib didn't
support SNI and hostname verification.


___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Jesse Noller]

 On Jan 22, 2014, at 8:03 AM, Christian Heimes christ...@python.org wrote:
 
 On 22.01.2014 14:55, Donald Stufft wrote:
 As an additional side note, anecdotal evidence and what not, but 
 *every* time I bring this up somewhere I get at least one reply
 that looks similar to
 https://twitter.com/ojiidotch/status/425986619879866368
 
 
 Yeah :(
 
 The ssl module documentation http://docs.python.org/3/library/ssl.html
 features a big red warning box for a good reason.

And no one reads it. I can't count the number of times I've gotten called into 
a managers office when they find out python doesn't do cert validation by 
default (and in 2, it's not been trivial) and gotten told to fix it, or we move 
off of python.

Donald is perfectly right: every time you point out to users that this is the 
default behavior the response is almost universally you can't be serious, is 
this a joke?

 ___
 Python-Dev mailing list
 Python-Dev@python.org
 https://mail.python.org/mailman/listinfo/python-dev
 Unsubscribe: 
 https://mail.python.org/mailman/options/python-dev/jnoller%40gmail.com
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Christian Heimes]

On 22.01.2014 13:43, Jesse Noller wrote:
 I have to concur with Donald here - in the case of security, especially 
 language security which directly impacts the implicit security of downstream 
 applications, I should not have to opt in to the most secure defaults.
 
 Yes; this potentially breaks applications relying on insecure / loose 
 defaults. However it changes the model to you are by default, explicitly 
 secure then relying on the domain knowledge of an application developer to 
 harden their application.
 
 When, if this changes, an application breaks, it will be in a plainly obvious 
 way which can quickly be resolved.
 
 Donald is perfectly right: today, it's trivial to MITM an application that 
 relies off of the current behavior; this is bad news bears for users and 
 developers as it means they need domain knowledge to secure their 
 applications by default they may not have.

For 3.5 I'd like to work on a policy framework for the ssl where
application can define policies like SSL/TLS version, cert store,
verification modes etc. etc. I'll discuss my ideas with Donald, Alex and
the other crypto guys as soon as I have settled in with my new job and town.

Christian

___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Chris Angelico]

On Thu, Jan 23, 2014 at 1:08 AM, Jesse Noller jnol...@gmail.com wrote:
 Now, maybe it wouldn't be a problem if the fix is an environment
 variable, but imagine a thousand-computer deployment and you have to
 tweak the environment on all of them. Feel like doing that just
 because the newest Python needs it? Not so much.


 What's the bet that that application will be ported to python 3.4/3.5 if this 
 is the case? I'd say approaching 0, which is ok.

Define ported to. (This particular application isn't Python, so the
specifics don't apply, but in general.) Usually that means simply run
on. Something that was written for Python 3.2 will probably run on
3.3, and on 3.4, and on 3.5 as well. You certainly wouldn't expect one
small corner of it to suddenly start doing different stuff, and if you
do, you'll blame Python... which would mean that you're right, that
program wouldn't be run on 3.4. Is that a good thing? I don't know,
but I think not. In a big company with lots of seats, every option is
looking like a sysadmin's nightmare.

That said, though, I agree *in principle* that secure-by-default is
the way to go. It's just the backward-incompatibility of *changing*
it. I like how requests is going.

ChrisA
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Antoine Pitrou]

On Wed, 22 Jan 2014 15:13:00 +0100
Christian Heimes christ...@python.org wrote:
 On 22.01.2014 13:43, Jesse Noller wrote:
  I have to concur with Donald here - in the case of security, especially 
  language security which directly impacts the implicit security of 
  downstream applications, I should not have to opt in to the most secure 
  defaults.
  
  Yes; this potentially breaks applications relying on insecure / loose 
  defaults. However it changes the model to you are by default, explicitly 
  secure then relying on the domain knowledge of an application developer to 
  harden their application.
  
  When, if this changes, an application breaks, it will be in a plainly 
  obvious way which can quickly be resolved.
  
  Donald is perfectly right: today, it's trivial to MITM an application that 
  relies off of the current behavior; this is bad news bears for users and 
  developers as it means they need domain knowledge to secure their 
  applications by default they may not have.
 
 For 3.5 I'd like to work on a policy framework for the ssl where
 application can define policies like SSL/TLS version, cert store,
 verification modes etc. etc.

Isn't that called a SSLContext?


___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Paul Moore]

On 22 January 2014 13:55, Donald Stufft don...@stufft.io wrote:

 As an additional side note, anecdotal evidence and what not, but
 *every* time I bring this up somewhere I get at least one reply that
 looks similar to https://twitter.com/ojiidotch/status/425986619879866368

Surprise that Python doesn't verify certs is one thing. I would also
like to live in a world where Python has always verified certs, and
all the issues have already been resolved. Imposing breakage on end
users because we haven't managed to persuade application developers to
do the right thing yet (even though it appears we've made it
one-line-of-code easy to do so) is another thing entirely.

But the deprecation cycle gives application developers time (and a
deadline) so I'm happy with that.

Although from MAL's original comment:
 Note that several python.org services use CAcerts which would no
 longer be accessible per default following such a change.

,The PSF needs to get that sorted before making cert validation the
default in Python, IMO.

Paul
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Donald Stufft]

On Jan 22, 2014, at 9:19 AM, Paul Moore p.f.mo...@gmail.com wrote:

 On 22 January 2014 13:55, Donald Stufft don...@stufft.io wrote:
 
 As an additional side note, anecdotal evidence and what not, but
 *every* time I bring this up somewhere I get at least one reply that
 looks similar to https://twitter.com/ojiidotch/status/425986619879866368
 
 Surprise that Python doesn't verify certs is one thing. I would also
 like to live in a world where Python has always verified certs, and
 all the issues have already been resolved. Imposing breakage on end
 users because we haven't managed to persuade application developers to
 do the right thing yet (even though it appears we've made it
 one-line-of-code easy to do so) is another thing entirely.

Note: That it requires users to even be aware they *need* to do that
one line of code, which many are not.

 
 But the deprecation cycle gives application developers time (and a
 deadline) so I'm happy with that.

Awesome, It looks like I’ll be writing a PEP to handle this, I wasn’t
sure if it needed one or not.

 
 Although from MAL's original comment:
 Note that several python.org services use CAcerts which would no
 longer be accessible per default following such a change.
 
 ,The PSF needs to get that sorted before making cert validation the
 default in Python, IMO.

I’m not aware of which services those are, if MAL (or anyone else)
can point them out I’ll see what I can do to make that happen.


-
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Paul Moore]

On 22 January 2014 13:29, Christian Heimes christ...@python.org wrote:
 Side note:
 Users can simple add self-signed certs to OpenSSL's cert store and get
 validation for free. It's possible to do that with an environment
 variable, too. But I recommend against the environment variable because
 you may overwrite to operating store.

I'm pretty sure what I'm about to ask isn't what you mean, but take it
as an example of how people may misunderstand and/or misinterpret
comments in this area ;-)

So if I set up a PyPI mirror running under https, with a self-signed
certificate, can you explain how I get it to work? For work, assume
I mean pip will use it, I can browse to it with my web browser, and my
various Python scripts (now running under Python 3.5 with SSL
verification on by default) that query the index all work without
needing extra flags, code changes, or interactive prompts.

I'm on Windows, by the way, just for added fun.

(This is a one of the real-world reasons I've never set up a local
https index - not a big one, laziness trumps it by miles :-) as does
the effectiveness of simpler solutions - but it's there. I did think
about it at one stage. If I *were* to set up an index, it's definitely
why I'd use http rather than bothering with https.)

Paul
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Donald Stufft]

On Jan 22, 2014, at 9:28 AM, Paul Moore p.f.mo...@gmail.com wrote:

 On 22 January 2014 13:29, Christian Heimes christ...@python.org wrote:
 Side note:
 Users can simple add self-signed certs to OpenSSL's cert store and get
 validation for free. It's possible to do that with an environment
 variable, too. But I recommend against the environment variable because
 you may overwrite to operating store.
 
 I'm pretty sure what I'm about to ask isn't what you mean, but take it
 as an example of how people may misunderstand and/or misinterpret
 comments in this area ;-)
 
 So if I set up a PyPI mirror running under https, with a self-signed
 certificate, can you explain how I get it to work? For work, assume
 I mean pip will use it, I can browse to it with my web browser, and my
 various Python scripts (now running under Python 3.5 with SSL
 verification on by default) that query the index all work without
 needing extra flags, code changes, or interactive prompts.
 
 I'm on Windows, by the way, just for added fun.

For everything but pip, you’d add it to your OS cert store. Pip doesn’t
use that so you’d have to use the —cert config.

 
 (This is a one of the real-world reasons I've never set up a local
 https index - not a big one, laziness trumps it by miles :-) as does
 the effectiveness of simpler solutions - but it's there. I did think
 about it at one stage. If I *were* to set up an index, it's definitely
 why I'd use http rather than bothering with https.)
 
 Paul
 ___
 Python-Dev mailing list
 Python-Dev@python.org
 https://mail.python.org/mailman/listinfo/python-dev
 Unsubscribe: 
 https://mail.python.org/mailman/options/python-dev/donald%40stufft.io


-
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Christian Heimes]

On 22.01.2014 15:12, Jesse Noller wrote:
 And no one reads it. I can't count the number of times I've gotten called 
 into a managers office when they find out python doesn't do cert validation 
 by default (and in 2, it's not been trivial) and gotten told to fix it, or we 
 move off of python.
 
 Donald is perfectly right: every time you point out to users that this is the 
 default behavior the response is almost universally you can't be serious, is 
 this a joke?

Yes, you are right. :(

About two months ago (maybe three) I proposed to deprecated implicit SSL
context, unverified certs and unverified hostnames all together. But I
was voted down. Donald made a similar attempt half an year ago, too.

Can't we just mark these things as pending deprecated in Python 3.4 so
people start fixing their code *now*?

Christian
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Donald Stufft]

On Jan 22, 2014, at 9:33 AM, Christian Heimes christ...@python.org wrote:

 On 22.01.2014 15:12, Jesse Noller wrote:
 And no one reads it. I can't count the number of times I've gotten called 
 into a managers office when they find out python doesn't do cert validation 
 by default (and in 2, it's not been trivial) and gotten told to fix it, or 
 we move off of python.
 
 Donald is perfectly right: every time you point out to users that this is 
 the default behavior the response is almost universally you can't be 
 serious, is this a joke?
 
 Yes, you are right. :(
 
 About two months ago (maybe three) I proposed to deprecated implicit SSL
 context, unverified certs and unverified hostnames all together. But I
 was voted down. Donald made a similar attempt half an year ago, too.

Last time I tried the reasoning was that Python couldn’t ship root certs
and we couldn’t get to the OS certs everywhere. Thanks to you this
is fixed now, so “once more unto the breach”.

 
 Can't we just mark these things as pending deprecated in Python 3.4 so
 people start fixing their code *now*?

+1

-
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Benjamin Peterson]

On Wed, Jan 22, 2014, at 04:15 AM, Donald Stufft wrote:
 
 On Jan 22, 2014, at 6:58 AM, Nick Coghlan ncogh...@gmail.com wrote:
 
  On 22 January 2014 21:36, Donald Stufft don...@stufft.io wrote:
  On Jan 22, 2014, at 6:30 AM, M.-A. Lemburg m...@egenix.com wrote:
  The change would also disable all services using self-signed
  certificates which are very common in internal networks and
  for ad-hoc setups. Many routers and other devices use self-signed
  certificates when offering HTTPS services.
  
  It will just disable them by default, they can still easily be accessed
  you’d just need to pass the “do not verify” flag. This clearly indicates
  that you’re opting out of the S in HTTPS.
  
  You need to remember that *Python is fundamentally not an
  application*. We don't control the interaction with the user,
  application developers do, and every decision we make has to take that
  into account.
  
  The kinds of decisions that an application like a web browser or a
  package installer can make aren't necessarily available to a runtime.
  We had to be cautious even with the initial hash randomisation change
  to avoid breaking currently working applications.
 
 The same could be said for requests, it’s fundamentally not an
 application
 and can’t control the interaction with the user and yet it validates TLS
 by
 default just fine.

Speaking of requests, I think another way to address this issue would be
import a requests-like APIs into the stdlib (something which should
happen anyway) and make that verify certificates by default. This would
address the casual urllib-type usecase of fetching files over http/ftp
etc. (I expect most people using their own protocols over raw TLS
already know to force certificate verification.)
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Christian Heimes]

On 22.01.2014 15:36, Donald Stufft wrote:
 Last time I tried the reasoning was that Python couldn’t ship root certs
 and we couldn’t get to the OS certs everywhere. Thanks to you this
 is fixed now, so “once more unto the breach”.

The Windows situation is still not perfect, though. I'd love to use
Chrome's approach and directly hook Windows' crypt32 API into OpenSSL
verify function. That would trigger automatic retrieval of unknown root
certs and CRL checks.

___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Antoine Pitrou]

On Wed, 22 Jan 2014 15:33:21 +0100
Christian Heimes christ...@python.org wrote:
 
 About two months ago (maybe three) I proposed to deprecated implicit SSL
 context, unverified certs and unverified hostnames all together. But I
 was voted down. Donald made a similar attempt half an year ago, too.

So why are you trying a third time? Do you have any new arguments
compared to last time?

Antoine.


___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Donald Stufft]

On Jan 22, 2014, at 10:05 AM, Antoine Pitrou solip...@pitrou.net wrote:

 On Wed, 22 Jan 2014 15:33:21 +0100
 Christian Heimes christ...@python.org wrote:
 
 About two months ago (maybe three) I proposed to deprecated implicit SSL
 context, unverified certs and unverified hostnames all together. But I
 was voted down. Donald made a similar attempt half an year ago, too.
 
 So why are you trying a third time? Do you have any new arguments
 compared to last time?

See my other email, Last time I tried I was told the reason was there wasn’t a
reliable enough default certificate store that worked on platforms such as
Windows and Python was unwilling to ship it’s own certificate bundle.

Christian has improved this situation so that it appears that this issue has
been largely resolved.

-
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Eric Snow]

On Jan 22, 2014 6:17 AM, M.-A. Lemburg m...@egenix.com wrote:
 Using an environment switch the extra checks could even be enabled
 without any code changes.

When Donald brought this up it sounded good.  It still does.  This is
similar to what we did for hash randomization.

-eric
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Benjamin Peterson]

On Wed, Jan 22, 2014, at 04:02 AM, Donald Stufft wrote:
 
 On Jan 22, 2014, at 6:45 AM, Nick Coghlan ncogh...@gmail.com wrote:
 
  On 22 January 2014 21:21, Paul Moore p.f.mo...@gmail.com wrote:
  On 22 January 2014 10:30, Donald Stufft don...@stufft.io wrote:
  Python 3.4 has made great strides in making it easier for applications
  to simply turn on these settings, however many people are not aware
  at all that they need to opt into this. Most assume that it will operate
  similarly to their browser, curl, wget, etc and validate by default and in
  the typical style of security related issues it will appear to work just 
  fine
  however be grossly insecure.
  
  Two things:
  
  1. To be like the browser we'd need to use the OS certificate store,
  which isn't the case on Windows at the moment (managing those
  certificate bundle files is most definitely *not* like the browser -
  I'd have no idea how to add a self-certificate to the bundle file
  embedded in pip, for example).
  2. Your proposal is that because some application authors have not
  opted in yet, we should penalise the end users of those applications
  by stopping them being able to use unverified https? And don't forget,
  applications that haven't opted in will have no switch to allow
  unverified use. That seems to be punishing the wrong people.
  
  Right, the browsers have a whole system of click through security to
  make the web (and corporate intranets!) still usable even when they
  only accept CA signed certs by default. With a programming language,
  there's no such interactivity, so applications just break and users
  don't know why.
  
  It's notable that even Linux distros haven't made this change in their
  system Python builds, and commercial Linux distros have raised
  paranoia to an art form (since that's a respectable chunk of what
  their users are paying for).
 
 I was actually talking to a Debian maintainer about the likelihood
 of making this change there earlier today :) If I fail at making this
 change in upstream I’ll be lobbying downstream and then we’ll
 just have different behaviors based on where you get your Python
 from which I think stinks.

I suppose if Debian wants to serve as a test ground to determine whether
everyone is happy about having their scripts broken, that's fine, too.
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Cory Benfield]

Donald Stufft donald at stufft.io writes:

 
 I would like to propose that a backwards incompatible change be
 made to Python to make verification of hostname and certificate
 chain the default instead of requiring it to be opt in.

I'm overwhelmingly, dramatically +1 on this. There's no good
architectural reason to not use the built-in certificate chains by
default. I'd like to be in favour of backporting this change to earlier
Python versions as well, but it feels too aggressive, even to me.

___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Cory Benfield]

On 22 January 2014 10:30, Donald Stufft don...@stufft.io wrote:
 I would like to propose that a backwards incompatible change be
 made to Python to make verification of hostname and certificate
 chain the default instead of requiring it to be opt in.

I'm overwhelmingly, dramatically +1 on this. There's no good
architectural reason to not use the built-in certificate chains by
default. I'd like to be in favour of backporting this change to earlier
Python versions as well, but it feels just a bit too aggressive.

Cory
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Antoine Pitrou]

On Wed, 22 Jan 2014 08:12:06 -0700
Eric Snow ericsnowcurren...@gmail.com wrote:
 On Jan 22, 2014 6:17 AM, M.-A. Lemburg m...@egenix.com wrote:
  Using an environment switch the extra checks could even be enabled
  without any code changes.
 
 When Donald brought this up it sounded good.  It still does.  This is
 similar to what we did for hash randomization.

The comparison is baseless. Hash randomization is a language feature
that can only be enabled at interpreter startup, and is at best a
per-application decision. SSL settings, on the other hand, have to be
decided per-client endpoint, not per-process, and they will depend on
the external service you connect to rather than the way your code is
written.

I'm -1 on adding env vars because we can't agree on SSL configuration
options.

Regards

Antoine.


___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[John Yeuk Hon Wong]

On 1/22/14 8:16 AM, Nick Coghlan wrote:
Which is exactly the way most non-web-specialists working inside the 
comfort of corporate and academic firewalls will react to a change 
that breaks their access to internal applications, where self-signed 
certs and improperly configured internal CAs are endemic (of course, 
that's assuming they're using HTTPS at all, which I admit is an 
optimistic assumption).
The number of people who are using 3.4+ in these environments is 
probably very very low to be honest. I don't have a number to prove, but 
in that environment people are more likely to still be using 2.6+. I 
think a deprecation in 2.7+ would be nice, but forward we should just 
enable it by default.


When requests changed property calls (e.g. requests.json) to callable 
instead of an attribute(from requests.json to requests.json()), I was 
shocked. I had to figure out by Googling it. I found out from github 
issue


I think a hard fail is somehow necessary.

Also, a lot of people overlook at deprecation warnings. They either 
don't care or don't see it. I see a lot of deprecation warnings in the 
older applications I write, but I can careless until it breaks. So as we 
moving forward, we can break it. For those stuck behind, deprecation is 
the right approach.


John
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Brian Curtin]

On Wed, Jan 22, 2014 at 12:10 PM, John Yeuk Hon Wong
gokoproj...@gmail.com wrote:
 On 1/22/14 8:16 AM, Nick Coghlan wrote:

 Which is exactly the way most non-web-specialists working inside the
 comfort of corporate and academic firewalls will react to a change that
 breaks their access to internal applications, where self-signed certs and
 improperly configured internal CAs are endemic (of course, that's assuming
 they're using HTTPS at all, which I admit is an optimistic assumption).

 The number of people who are using 3.4+ in these environments is probably
 very very low to be honest. I don't have a number to prove, but in that
 environment people are more likely to still be using 2.6+. I think a
 deprecation in 2.7+ would be nice, but forward we should just enable it by
 default.

 When requests changed property calls (e.g. requests.json) to callable
 instead of an attribute(from requests.json to requests.json()), I was
 shocked. I had to figure out by Googling it. I found out from github
 issue

 I think a hard fail is somehow necessary.

 Also, a lot of people overlook at deprecation warnings. They either don't
 care or don't see it. I see a lot of deprecation warnings in the older
 applications I write, but I can careless until it breaks. So as we moving
 forward, we can break it. For those stuck behind, deprecation is the right
 approach.

They're disabled by default, so a lot of people simply don't know they
exist because they also don't read the documentation.
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Donald Stufft]

On Jan 22, 2014, at 1:46 PM, Brian Curtin br...@python.org wrote:

 On Wed, Jan 22, 2014 at 12:10 PM, John Yeuk Hon Wong
 gokoproj...@gmail.com wrote:
 On 1/22/14 8:16 AM, Nick Coghlan wrote:
 
 Which is exactly the way most non-web-specialists working inside the
 comfort of corporate and academic firewalls will react to a change that
 breaks their access to internal applications, where self-signed certs and
 improperly configured internal CAs are endemic (of course, that's assuming
 they're using HTTPS at all, which I admit is an optimistic assumption).
 
 The number of people who are using 3.4+ in these environments is probably
 very very low to be honest. I don't have a number to prove, but in that
 environment people are more likely to still be using 2.6+. I think a
 deprecation in 2.7+ would be nice, but forward we should just enable it by
 default.
 
 When requests changed property calls (e.g. requests.json) to callable
 instead of an attribute(from requests.json to requests.json()), I was
 shocked. I had to figure out by Googling it. I found out from github
 issue
 
 I think a hard fail is somehow necessary.
 
 Also, a lot of people overlook at deprecation warnings. They either don't
 care or don't see it. I see a lot of deprecation warnings in the older
 applications I write, but I can careless until it breaks. So as we moving
 forward, we can break it. For those stuck behind, deprecation is the right
 approach.
 
 They're disabled by default, so a lot of people simply don't know they
 exist because they also don't read the documentation.

Ironically this is the exact reason why validation should happen by default :]


-
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Antoine Pitrou]

On Wed, 22 Jan 2014 13:50:37 -0500
Donald Stufft don...@stufft.io wrote:
 
 Ironically this is the exact reason why validation should happen by default :]

I think most of us would agree that a new client API should do
validation by default (with an easy way to opt out). So let's
concentrate on the question of whether and how to migrate existing APIs
while remaining user-friendly.

Regards

Antoine.


___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Wes Turner]

If I could summarize this discussion (please correct me if I am wrong):

1. Status Quo

   All existing versions of Python are unsecure by default
   because by not doing SSL hostname verification,
   libraries which wrap sockets with SSLContext
   allow SSL MITM (man-in-the-middle) with no warning.

   Christian Heimes has introduced ss.create_default_context for 3.4

   Donald Stuft is proposing that hostname verification should be
   the default behavior in future versions of Python;
   such as Python 3.4,
   ideally as soon as possible.

   python-dev has been resistant to preventing SSL MITM by default
   because humans, pypi:keyring, and pypi:certifi


2. Generalizations about end-users:

   * corporate users aren't susceptible to MITM because perimeter

 * fallacious on all accounts
 * mismatched metaphors abound

   * nobody knows how to add self-signed CA certs to their chains

 * Agreed.

   * most people haven't / aren't going to read the docs:
 http://docs.python.org/3/library/ssl.html#verifying-certificates

 A **warning::** would probably be appropriate

 (and a big red warning box has been added to the 3.3 docs)

 It could also say PYTHON DOES NOT VALIDATE SSL CERTIFICATES BY
DEFAULT

   * most people don't realize / have modification rights / have the
 ability to submit patches upstream; either to

 * set CERT_REQUIRED for every connection
 * set (a forthcoming) CERT_NOVALIDATE

   * people who complain about breaking security defaults
 which allow MITM are most relevant

   * it doesn't work on my SOHO router

   * people would need to understand how Python
 (and many other languages' SSL implementations)
 is less secure than current browsers

   * people don't read What's New; distributions test and upgrade their
 interpreter for them

   * some people are aware that third-party libraries requests and urllib3
 do SSL hostname validation by default, now, with Python 2


3. Compatibility

   There could be a PYTHONSSLNOVALIDATE environment variable:

   * +1 : This would allow workarounds for applications which cannot be
 updated
   * -1 : This is not preferable because PYTHONHASHSEED


4. Chain management

   * It should be possible to update the cert chain
   * It could be easier to specify a different cert chain (?)
   * Python 3.4 now supports using the Windows cert chain
   * Pip does not yet support using the Windows cert chain
   * pypi:certifi adds the Mozilla Firefox keychain for Python 2 and 3
 (like requests and pip)


5. Deprecation

   * Should deprecate slowly (2017) because people would complain about
 having been secured against MITM (in their upgrade to Python 3.4)
   * Should not deprecate slowly because the status quo
 (insecure by default) is risky
   * Should add pending deprecation now (see CERT_NOVALIDATE NOP below)


6. Testing Responses

   * It's probably good to start testing downstream patches
 to Python 3.4 packages
   * The error message may be primed


My two cents:

* CERT_NOVALIDATE could/should be present now (if even as a no-op)
* 2to3 could/should add CERT_NOVALIDATE


Please feel free to add any, all, or none of this to the forthcoming PEP.

Thank you for addressing this issue.

(This is buried here because the mailman archive gzip hasn't yet updated
with
the latest Message-Id to specify for In-Reply-To)


-- 
Wes Turner


On Wed, Jan 22, 2014 at 12:46 PM, Brian Curtin br...@python.org wrote:

 On Wed, Jan 22, 2014 at 12:10 PM, John Yeuk Hon Wong
 gokoproj...@gmail.com wrote:
  On 1/22/14 8:16 AM, Nick Coghlan wrote:
 
  Which is exactly the way most non-web-specialists working inside the
  comfort of corporate and academic firewalls will react to a change that
  breaks their access to internal applications, where self-signed certs
 and
  improperly configured internal CAs are endemic (of course, that's
 assuming
  they're using HTTPS at all, which I admit is an optimistic assumption).
 
  The number of people who are using 3.4+ in these environments is probably
  very very low to be honest. I don't have a number to prove, but in that
  environment people are more likely to still be using 2.6+. I think a
  deprecation in 2.7+ would be nice, but forward we should just enable it
 by
  default.
 
  When requests changed property calls (e.g. requests.json) to callable
  instead of an attribute(from requests.json to requests.json()), I was
  shocked. I had to figure out by Googling it. I found out from github
  issue
 
  I think a hard fail is somehow necessary.
 
  Also, a lot of people overlook at deprecation warnings. They either don't
  care or don't see it. I see a lot of deprecation warnings in the older
  applications I write, but I can careless until it breaks. So as we moving
  forward, we can break it. For those stuck behind, deprecation is the
 right
  approach.

 They're disabled by default, so a lot of people simply don't know they
 exist because they also don't 

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Terry Reedy]

On 1/22/2014 9:25 AM, Donald Stufft wrote:


Awesome, It looks like I’ll be writing a PEP to handle this, I wasn’t
sure if it needed one or not.


Definitely. I think the transition from insecure by default to secure by 
default is somewhat comparable to the transition from ascii by default 
to unicode by default. I suspect more than one PEP will be needed for 
various aspects.


--
Terry Jan Reedy


___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Nick Coghlan]

On 23 Jan 2014 00:39, Benjamin Peterson benja...@python.org wrote:

 On Wed, Jan 22, 2014, at 04:15 AM, Donald Stufft wrote:
 
  On Jan 22, 2014, at 6:58 AM, Nick Coghlan ncogh...@gmail.com wrote:
 
   On 22 January 2014 21:36, Donald Stufft don...@stufft.io wrote:
   On Jan 22, 2014, at 6:30 AM, M.-A. Lemburg m...@egenix.com wrote:
   The change would also disable all services using self-signed
   certificates which are very common in internal networks and
   for ad-hoc setups. Many routers and other devices use self-signed
   certificates when offering HTTPS services.
  
   It will just disable them by default, they can still easily be
accessed
   you’d just need to pass the “do not verify” flag. This clearly
indicates
   that you’re opting out of the S in HTTPS.
  
   You need to remember that *Python is fundamentally not an
   application*. We don't control the interaction with the user,
   application developers do, and every decision we make has to take that
   into account.
  
   The kinds of decisions that an application like a web browser or a
   package installer can make aren't necessarily available to a runtime.
   We had to be cautious even with the initial hash randomisation change
   to avoid breaking currently working applications.
 
  The same could be said for requests, it’s fundamentally not an
  application
  and can’t control the interaction with the user and yet it validates TLS
  by
  default just fine.

 Speaking of requests, I think another way to address this issue would be
 import a requests-like APIs into the stdlib (something which should
 happen anyway) and make that verify certificates by default. This would
 address the casual urllib-type usecase of fetching files over http/ftp
 etc. (I expect most people using their own protocols over raw TLS
 already know to force certificate verification.)

Guido gave in principle approval for an asyncio backed requests clone as
the preferred HTTP client API last year, but that's going to take someone
to write and publish it if we're going to be able to include it in 3.5.

Cheers,
Nick.
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Benjamin Peterson]

On Wed, Jan 22, 2014, at 12:25 PM, Nick Coghlan wrote:
 On 23 Jan 2014 00:39, Benjamin Peterson benja...@python.org wrote:
  Speaking of requests, I think another way to address this issue would be
  import a requests-like APIs into the stdlib (something which should
  happen anyway) and make that verify certificates by default. This would
  address the casual urllib-type usecase of fetching files over http/ftp
  etc. (I expect most people using their own protocols over raw TLS
  already know to force certificate verification.)
 
 Guido gave in principle approval for an asyncio backed requests clone as
 the preferred HTTP client API last year, but that's going to take someone
 to write and publish it if we're going to be able to include it in 3.5.

But requests is synchronous, so I'm not sure how much you can use of
asyncio. I was thinking of something bolted onto urllib.
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Brett Cannon]

On Wed, Jan 22, 2014 at 3:56 PM, Benjamin Peterson benja...@python.orgwrote:



 On Wed, Jan 22, 2014, at 12:25 PM, Nick Coghlan wrote:
  On 23 Jan 2014 00:39, Benjamin Peterson benja...@python.org wrote:
   Speaking of requests, I think another way to address this issue would
 be
   import a requests-like APIs into the stdlib (something which should
   happen anyway) and make that verify certificates by default. This would
   address the casual urllib-type usecase of fetching files over http/ftp
   etc. (I expect most people using their own protocols over raw TLS
   already know to force certificate verification.)
 
  Guido gave in principle approval for an asyncio backed requests clone as
  the preferred HTTP client API last year, but that's going to take someone
  to write and publish it if we're going to be able to include it in 3.5.

 But requests is synchronous, so I'm not sure how much you can use of
 asyncio. I was thinking of something bolted onto urllib.


Sure, but the key point is that a new async API can be made synchronous as
well by blocking as necessary. The eventual synchronous API can resemble or
take inspiration from requests. Point is, though, is it was admitted a new
module is probably called for thanks to asyncio (and to give us a chance to
fix mistakes in urllib).
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Donald Stufft]

Never mind. If someone else cares they can propose it. I withdraw. 

 On Jan 22, 2014, at 4:29 PM, Brett Cannon br...@python.org wrote:
 
 
 
 
 On Wed, Jan 22, 2014 at 3:56 PM, Benjamin Peterson benja...@python.org 
 wrote:
 
 
 On Wed, Jan 22, 2014, at 12:25 PM, Nick Coghlan wrote:
  On 23 Jan 2014 00:39, Benjamin Peterson benja...@python.org wrote:
   Speaking of requests, I think another way to address this issue would be
   import a requests-like APIs into the stdlib (something which should
   happen anyway) and make that verify certificates by default. This would
   address the casual urllib-type usecase of fetching files over http/ftp
   etc. (I expect most people using their own protocols over raw TLS
   already know to force certificate verification.)
 
  Guido gave in principle approval for an asyncio backed requests clone as
  the preferred HTTP client API last year, but that's going to take someone
  to write and publish it if we're going to be able to include it in 3.5.
 
 But requests is synchronous, so I'm not sure how much you can use of
 asyncio. I was thinking of something bolted onto urllib.
 
 Sure, but the key point is that a new async API can be made synchronous as 
 well by blocking as necessary. The eventual synchronous API can resemble or 
 take inspiration from requests. Point is, though, is it was admitted a new 
 module is probably called for thanks to asyncio (and to give us a chance to 
 fix mistakes in urllib).
 ___
 Python-Dev mailing list
 Python-Dev@python.org
 https://mail.python.org/mailman/listinfo/python-dev
 Unsubscribe: 
 https://mail.python.org/mailman/options/python-dev/donald%40stufft.io
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Jesse Noller]

On Wed, Jan 22, 2014 at 3:48 PM, Donald Stufft don...@stufft.io wrote:
 Never mind. If someone else cares they can propose it. I withdraw.


I'll throw writing a PEP for 3.5 to do this following the deprecation
policy on my todo list so 3.4 fixing can move on. I needed to brush up
on my ReST anyway.
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Benjamin Peterson]

On Wed, Jan 22, 2014, at 01:48 PM, Donald Stufft wrote:
 Never mind. If someone else cares they can propose it. I withdraw. 

I'm sorry to see this thread went down hill so quickly. I think we can
all agree than not validating certs by default is bad and that it should
change soon. It's only a question of when. And since we're python-dev,
we like to take things in excruciating slow and careful pace.
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Nick Coghlan]

On 23 Jan 2014 07:48, Donald Stufft don...@stufft.io wrote:

 Never mind. If someone else cares they can propose it. I withdraw.

That's unfortunate, but understandable - we already have a lot to deal with
just trying to get even the software distribution infrastructure to a
secure by default status.

However, now we have access to the system cert stores on all major
platforms, I *do* think it's a good idea to eventually change the default
settings to include host verification.

It's just any such concrete proposal, like any other major backwards
incompatible change, needs to be written up as a PEP, including a
transition plan for insecure environments where users will blame *Python*
if an upgrade breaks things, rather than the insecurity of their
configuration. We know all too well from the Python 3 transition how
unhappy it makes users when a new version complains about environmental
issues that previous versions blithely ignored.

While the normal deprecation process should suffice, that still means
Python 3.6 (2017-ish) is the earliest feasible target for new default
settings.

Such a proposal will also need to address the implications for source
compatible Python 2/3 code across *all* secure network protocols, not just
HTTPS (the latter can be handled relatively easily using the requests
module).

A new, preferred, secure-by-default HTTPS client API for the standard
library (based on the requests API) is an orthogonal proposal, and one that
already has in-principle approval from Guido, preferably as a synchronous
front end to the asyncio networking backend.

Regards,
Nick.
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Christian Heimes]

On 22.01.2014 23:20, Nick Coghlan wrote:
 However, now we have access to the system cert stores on all major
 platforms, I *do* think it's a good idea to eventually change the
 default settings to include host verification.

Somebody has revise the situation on OSX for Python 3.5 and possible
create new bindings to the keychain API. OSX has only 0.9.8. Apple has
deprecated OpenSSL and I'd like to drop 0.9.8 support in 3.5.

 Such a proposal will also need to address the implications for source
 compatible Python 2/3 code across *all* secure network protocols, not
 just HTTPS (the latter can be handled relatively easily using the
 requests module).

Please count me in!

I see two options to handle Python  3.4: backport the ssl module or
hope that the cryptography library is ready.

Christian

___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Wes Turner]

 While the normal deprecation process should suffice, that still means Python 
 3.6 (2017-ish) is the earliest feasible target for new default settings.

Could a CERT_NOVERIFY no-op be added now?
(no-op because it would just be more explicit about the default
behavior anyway) [1]

 Such a proposal will also need to address the implications for source 
 compatible Python 2/3 code across *all* secure network protocols, not just 
 HTTPS (the latter can be handled relatively easily using the requests module).

Could/should this be a feature of 2to3? [1] (and/or automated AST code
scanners for Python source)?

[1] https://mail.python.org/pipermail/python-dev/2014-January/131974.html

 A new, preferred, secure-by-default HTTPS client API for the standard library 
 (based on the requests API) is an orthogonal proposal, and one that already 
 has in-principle approval from Guido, preferably as a synchronous front end 
 to the asyncio networking backend.

I'm aware of aiohttp (BSD), but haven't yet had much chance to review
the source.
It looks like the tests currently require nose and gunicorn,
because it provides an asyncio gunicorn worker.

http client/server for asyncio
https://github.com/fafhrd91/aiohttp
--
Wes Turner


On Wed, Jan 22, 2014 at 4:20 PM, Nick Coghlan ncogh...@gmail.com wrote:

 On 23 Jan 2014 07:48, Donald Stufft don...@stufft.io wrote:

 Never mind. If someone else cares they can propose it. I withdraw.

 That's unfortunate, but understandable - we already have a lot to deal with
 just trying to get even the software distribution infrastructure to a
 secure by default status.

 However, now we have access to the system cert stores on all major
 platforms, I *do* think it's a good idea to eventually change the default
 settings to include host verification.

 It's just any such concrete proposal, like any other major backwards
 incompatible change, needs to be written up as a PEP, including a transition
 plan for insecure environments where users will blame *Python* if an upgrade
 breaks things, rather than the insecurity of their configuration. We know
 all too well from the Python 3 transition how unhappy it makes users when a
 new version complains about environmental issues that previous versions
 blithely ignored.

 While the normal deprecation process should suffice, that still means Python
 3.6 (2017-ish) is the earliest feasible target for new default settings.

 Such a proposal will also need to address the implications for source
 compatible Python 2/3 code across *all* secure network protocols, not just
 HTTPS (the latter can be handled relatively easily using the requests
 module).

 A new, preferred, secure-by-default HTTPS client API for the standard
 library (based on the requests API) is an orthogonal proposal, and one that
 already has in-principle approval from Guido, preferably as a synchronous
 front end to the asyncio networking backend.

 Regards,
 Nick.


 ___
 Python-Dev mailing list
 Python-Dev@python.org
 https://mail.python.org/mailman/listinfo/python-dev
 Unsubscribe:
 https://mail.python.org/mailman/options/python-dev/wes.turner%40gmail.com

___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Kristján Valur Jónsson]

 -Original Message-
 From: Python-Dev [mailto:python-dev-
 bounces+kristjan=ccpgames@python.org] On Behalf Of Nick Coghlan
 Sent: Wednesday, January 22, 2014 19:45
 To: Paul Moore
 Cc: Python-Dev
 Subject: Re: [Python-Dev] Enable Hostname and Certificate Chain Validation
 Right, the browsers have a whole system of click through security to make
 the web (and corporate intranets!) still usable even when they only accept
 CA signed certs by default. With a programming language, there's no such
 interactivity, so applications just break and users don't know why.
 

If not already possible, I suggest that we allow the use of a certificate 
validation callback
(it isn't possible for 2.7, I just hacked in one yesterday to allow me to 
ignore out-date-failure for certificates.)
Using this, it would be possible to e.g. emit warnings when certificiate 
failures occur, rather than deny connection outright.

K

___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Enable Hostname and Certificate Chain Validation

[Scott Dial]

On 2014-01-22 9:33 AM, Donald Stufft wrote:
 For everything but pip, you’d add it to your OS cert store. Pip doesn’t
 use that so you’d have to use the —cert config.

What if I don't want that self-signed cert to be trusted by all users on
the system? What if I don't have administrative rights? How do I do it
then? Is this common knowledge for average users? Are we trading one big
red box in the documentation for another?

Anecdotally, I already know of a system at work that is using HTTPS
purely for encryption, because the authentication is done in-band. So, a
self-signed cert was wholly sufficient. The management tools use a
RESTful interface over HTTPS for control, but you are telling me this
will be broken by default now. What do I tell our developers (who often
adopt the latest and greatest versions of things to play with)?

-- 
Scott Dial
sc...@scottdial.com
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com