On 24.02.2016 21:39, Cory Benfield wrote: > >> On 24 Feb 2016, at 12:19, M.-A. Lemburg <m...@egenix.com> wrote: >> >> On 24.02.2016 12:28, Cory Benfield wrote: >>> >>>> On 24 Feb 2016, at 10:32, Nick Coghlan <ncogh...@gmail.com> wrote: >>>> >>>> Security Considerations >>>> ----------------------- >>>> >>>> Relative to the behaviour in Python 3.4.3+ and Python 2.7.9->2.7.11, this >>>> approach does introduce a new downgrade attack against the default security >>>> settings that potentially allows a sufficiently determined attacker to >>>> revert >>>> Python to the default behaviour used in CPython 2.7.8 and earlier releases. >>>> However, such an attack requires the ability to modify the execution >>>> environment of a Python process prior to the import of the ``ssl`` module, >>>> and any attacker with such access would already be able to modify the >>>> behaviour of the underlying OpenSSL implementation. >>>> >>> >>> I’m not entirely sure this is accurate. Specifically, an attacker that is >>> able to set environment variables but nothing else (no filesystem access) >>> would be able to disable hostname validation. To my knowledge this is the >>> only environment variable that could be set that would do that. >> >> An attacker with access to the OS environment of a process would >> be able to do lots of things. I think disabling certificate checks >> is not one of the highest ranked attack vectors you'd use, given >> such capabilities :-) >> >> Think of LD_PRELOAD attacks, LD_LIBRARY_PATH manipulations, shell PATH >> manipulations (think spawned processes), compiler flag manipulations >> (think "pip install sourcepkg"), OpenSSL reconfiguration, etc. >> >> Probably much easier than an active attack would be to simply extract >> sensitive information from the environ and use this for more direct >> attacks, e.g. accessing databases, payment services, etc. > > To be clear, I’m not suggesting that this represents a reason not to do any > of this, just that we should not suggest that there is no risk here: there > is, and it is a new attack vector.
Fair enough :-) -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Experts (#1, Feb 24 2016) >>> Python Projects, Coaching and Consulting ... http://www.egenix.com/ >>> Python Database Interfaces ... http://products.egenix.com/ >>> Plone/Zope Database Interfaces ... http://zope.egenix.com/ ________________________________________________________________________ 2016-02-19: Released eGenix PyRun 2.1.2 ... http://egenix.com/go88 ::: We implement business ideas - efficiently in both time and costs ::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ http://www.malemburg.com/ _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
