Hostname validation is False by default in imaplib

[soltysh]

BPO	28320
Nosy	@warsaw, @tiran, @mcepl, @bitdancer, @soltysh

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = 'https://github.com/tiran'
closed_at = None
created_at = <Date 2016-09-30.20:59:42.723>
labels = ['type-security', '3.7', 'expert-email']
title = 'Hostname validation is False by default in imaplib'
updated_at = <Date 2018-04-21.19:11:49.319>
user = 'https://github.com/soltysh'

bugs.python.org fields:

activity = <Date 2018-04-21.19:11:49.319>
actor = 'mcepl'
assignee = 'christian.heimes'
closed = False
closed_date = None
closer = None
components = ['email']
creation = <Date 2016-09-30.20:59:42.723>
creator = 'maciej.szulik'
dependencies = []
files = []
hgrepos = []
issue_num = 28320
keywords = []
message_count = 3.0
messages = ['277772', '315574', '315579']
nosy_count = 5.0
nosy_names = ['barry', 'christian.heimes', 'mcepl', 'r.david.murray', 'maciej.szulik']
pr_nums = []
priority = 'normal'
resolution = None
stage = 'needs patch'
status = 'open'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue28320'
versions = ['Python 3.7']

[soltysh]

According to David [1] hostname validation should be True by default for the imaplib, my tests clearly show something different. Additionally he states you Christian were doing so, that's why I'm opening this not to forget about the problem and discuss eventually what should happen.

[1] http://bugs.python.org/review/25591/diff/16398/Lib/test/test_imaplib.py#newcode451

[mcepl]

I do agree with http://legacy.python.org/dev/peps/pep-0476/#other-protocols:

This PEP only proposes requiring this level of validation for HTTP clients, not for other protocols such as SMTP.

This is because while a high percentage of HTTPS servers have correct certificates, as a result of the validation performed by browsers, for other protocols self-signed or otherwise incorrect certificates are far more common.

With HTTP (and thanks to Let’s Encrypt) the situation seems to be really good, and most publicly accessible webserver will hopefully have soon good signed certificates, but I am afraid that with other servers (and especially but certainly not limited to IMAP servers) there are just too many self-signed certificates (or ones signed by suspicious internal CAs) in various internal email servers, that changing defaults would do more harm than good, I am afraid. Also, arguing about defaults is the way of The Waste of Time, so I will try to limit myself just to this one comment on this bug.

[mcepl]

See also bpo-33327.

[vadmium]

There is Issue #91826 about changing the default SSL behaviour for IMAP along with other protocols.

But in the meantime, I think the current behaviour should be documented clearly. The default arguments IMAP4_SSL(context=None) and IMAP4.starttls(context=None) avoid validating the hostname, despite the claim that “the class now supports hostname check”. This default even avoids validating the server’s certificate, despite the “Security considerations” referring to default contexts that do validate certificates and hostnames.