New submission from STINNER Victor: Copy of Donald Stuff email sent to python-dev:
A big security breach of SSL 3.0 just dropped a little while ago (named POODLE). With this there is now no ability to securely connect via SSL 3.0. I believe that we should disable SSL 3.0 in Python similarly to how SSL 2.0 is disabled, where it is disabled by default unless the user has explicitly re-enabled it. The new attack essentially allows reading the sensitive data from within a SSL 3.0 connection stream. It takes roughly 256 requests to break a single byte so the attack is very practical. You can read more about the attack here at the google announcement [1] or the whitepaper [2]. [1] http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html [2] https://www.openssl.org/~bodo/ssl-poodle.pdf ---------- messages: 229368 nosy: haypo priority: normal severity: normal status: open title: ssl module: the SSLv3 protocol is vulnerable ("POODLE" attack) type: security versions: Python 2.7, Python 3.1, Python 3.2, Python 3.3, Python 3.4, Python 3.5 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue22638> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
