On 24 February 2016 at 21:28, Cory Benfield <c...@lukasa.co.uk> wrote:
> > > On 24 Feb 2016, at 10:32, Nick Coghlan <ncogh...@gmail.com> wrote: > > > > Security Considerations > > ----------------------- > > > > Relative to the behaviour in Python 3.4.3+ and Python 2.7.9->2.7.11, this > > approach does introduce a new downgrade attack against the default > security > > settings that potentially allows a sufficiently determined attacker to > revert > > Python to the default behaviour used in CPython 2.7.8 and earlier > releases. > > However, such an attack requires the ability to modify the execution > > environment of a Python process prior to the import of the ``ssl`` > module, > > and any attacker with such access would already be able to modify the > > behaviour of the underlying OpenSSL implementation. > > > > I’m not entirely sure this is accurate. Specifically, an attacker that is > able to set environment variables but nothing else (no filesystem access) > would be able to disable hostname validation. ... for SSL contexts that aren't explicitly enabling it. > To my knowledge this is the only environment variable that could be set > that would do that. > > It’s just worth noting here that this potentially opens a little crack in > Python’s armour. > Only in Python 2.7's, and there we have a much bigger problem with folks not upgrading past 2.7.8, and with a number of redistributors considering the change too disruptive to backport as a security fix. I do think you're right though, so I'll tweak the wording of that section accordingly. Cheers, Nick. -- Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
