[Python-Dev] PEP 466: Proposed policy change for handling network security enhancements
Cory Benfield
cory at lukasa.co.uk
Sun Mar 23 08:29:07 CET 2014
On 23 March 2014 at 04:32:17, Terry Reedy (tjreedy at udel.edu(mailto:tjreedy at udel.edu)) wrote:
> Instead, I think the PEP should propose a special series of server
> enhancement releases that are based on the final 2.7 maintenance release
> (2.7.8 or 2.7.9) but which have have a different application-specific
> enhancement policy.
This is an interesting idea. My biggest problem with it is that, at least
with the ssl library, these aren’t server-only problems. If we suggest that
they are, we end up in the same position we’re in right now (that is, hurting
the internet).
For example, Python 2.7’s ssl module lacks the OP_NO_COMPRESSION option for
OpenSSL, meaning that the application is at the mercy of the server to determine
whether it’s vulnerable to the CRIME attack. Given that all modern browsers
already disable TLS compression, we can assume that lots of server admins haven’t
bothered disabling it on their end. This leaves pretty much anyone using HTTPS,
client or server, on Python 2.7 at risk of the CRIME attack. This isn’t a
server-only problem, so I feel like limiting the fixes to a ‘server’ release
is not good enough.
More information about the Python-Dev
mailing list