Alex Stapleton added the comment: CRIME is not universally applicable to all TLS connections and it requires some cooperation from the application to work. In fact for a Python TLS client it seems quite unlikely for an application to be vulnerable. The attack in the paper leverages an insecure website to inject JavaScript to issue crafted requests to a secure one. i.e. It requires both compression and some degree of remote code execution to work. Perhaps there are ways to extend the attack to apply to more common Python TLS client usage though?
Also some users will absolutely want to manually re-enable compression, please don't disable it entirely. ---------- nosy: +Alex.Stapleton _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue20994> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
