Yes, I fucking love going to the coffee shop and airport, then proceed to download QBitTorrent do download some linux ISOs. Because those places always have highly reliable WiFi, high speed and definetly not filtering traffic.
The download with unverified certificate only triggered on windows if there isn't "good enough" version of python installed. If it's already installed then nothing needs to be downloaded.
Again, this vulnerability can't exploited unless attacker is able MitM you or python.org is hijacked.
It's very hard to exploit in real-life en-masse. Targeted attack is possible, but it requires attacker to:
1) Be able to do MitM in the first place
2) You need to use qBitTorrent
3) You need to use Windows
4) You must not have python version installed that supported by qBitTorrent
But ordinary use of qBitTorrent is fine. The only part with a clear path to code execution (assuming MITM and no certificate verification) is the initial install of Python - which is only required for certain features, only installs once, and requires user confirmation to start.
My comment was about Python.org and I think that it wouldn't be unusual for a student to start doing some work in a coffee shop and get MITMd.
However, it'd be quite easy for someone to have setup QBitTorrent to auto-start on their laptop and then to forget about it when they're doing something else at an airport, coffee shop or other place where you would expect to use someone's wifi. Note that it doesn't even have to be wifi setup by the business - it could be a bad actor setting up an access point that just looks like it belongs there.
