[New-bugs-announce] [issue20994] Disable TLS Compression
Donald Stufft
report at bugs.python.org
Thu Mar 20 14:53:36 CET 2014
New submission from Donald Stufft:
Since Python 3.3 the ssl module has supported the ability to opt in to disabling TLS Compression [1]. However TLS Compression has the problem that it typically leaks data through an attack known as CRIME. CRIME is specific to HTTP but the type of attack it employs is not.
I believe that CPython should just flat out disable TLS Compression and it should do so in all currently active branches (2.7, 3.2+). The patch is fairly minor however there is the question of how that should be handled in 3.3+ where there would be a now useless flag and method on SSLContext. The likelhood for breakage is fairly low and all modern browsers have already permanently disabled it.
[1] http://bugs.python.org/issue13634
----------
messages: 214234
nosy: christian.heimes, dstufft, ncoghlan, pitrou
priority: normal
severity: normal
status: open
title: Disable TLS Compression
versions: Python 2.7, Python 3.2, Python 3.3, Python 3.4, Python 3.5
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue20994>
_______________________________________
More information about the New-bugs-announce
mailing list