On 24 February 2016 at 21:28, Cory Benfield <cory at lukasa.co.uk> wrote: > > > On 24 Feb 2016, at 10:32, Nick Coghlan <ncoghlan at gmail.com> wrote: > > > > Security Considerations > > ----------------------- > > > > Relative to the behaviour in Python 3.4.3+ and Python 2.7.9->2.7.11, this > > approach does introduce a new downgrade attack against the default > security > > settings that potentially allows a sufficiently determined attacker to > revert > > Python to the default behaviour used in CPython 2.7.8 and earlier > releases. > > However, such an attack requires the ability to modify the execution > > environment of a Python process prior to the import of the ``ssl`` > module, > > and any attacker with such access would already be able to modify the > > behaviour of the underlying OpenSSL implementation. > > > > I’m not entirely sure this is accurate. Specifically, an attacker that is > able to set environment variables but nothing else (no filesystem access) > would be able to disable hostname validation. ... for SSL contexts that aren't explicitly enabling it. > To my knowledge this is the only environment variable that could be set > that would do that. > > It’s just worth noting here that this potentially opens a little crack in > Python’s armour. > Only in Python 2.7's, and there we have a much bigger problem with folks not upgrading past 2.7.8, and with a number of redistributors considering the change too disruptive to backport as a security fix. I do think you're right though, so I'll tweak the wording of that section accordingly. Cheers, Nick. -- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20160224/e6a68b20/attachment.html>
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4