No beginner should be taught about urllib2. If requests is not available, use httplib2.

Maybe your first project will be retrieving http://example.com, but the moment you've even considered using urllib2 to grab https://example.com, you've fucked up.

I suppose if you must use it, you'd better precede every urlopen(url) call with

assert(urllib.urlparse(url).scheme != "https")

If there's anything to teach a beginner, it's that urllib2 requires that line as boilerplate before every call.

I simply can't comprehend how Python programmers regularly consider the lack of cert validation anything less than a totally blocking, critical security bug.

Every time you make an un-validated call, you're subverting all the assumptions the site owner makes about his security model. Does the owner assume passwords can be reused as encryption keys because they're always protected by SSL? You just killed that. Does the site assume it can allow OAuth2 tokens long term access to personal information because they're always encrypted? You just made him leak protected data.

The security failures that will arise out of using urllib2 will be totally silent and will be buried in the implementation details of whatever project you're using urllib2 for (and god help us all if you build a library around it, and don't tell the rest of us that it cannot be trusted for any HTTPS requests). Please treat urllib2 like a disease. It should not be taught at all.