[issue20994] Disable TLS Compression
Alex Stapleton
report at bugs.python.org
Thu Mar 20 16:28:02 CET 2014
Alex Stapleton added the comment:
CRIME is not universally applicable to all TLS connections and it requires some cooperation from the application to work. In fact for a Python TLS client it seems quite unlikely for an application to be vulnerable. The attack in the paper leverages an insecure website to inject JavaScript to issue crafted requests to a secure one. i.e. It requires both compression and some degree of remote code execution to work. Perhaps there are ways to extend the attack to apply to more common Python TLS client usage though?
Also some users will absolutely want to manually re-enable compression, please don't disable it entirely.
----------
nosy: +Alex.Stapleton
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue20994>
_______________________________________
More information about the Python-bugs-list
mailing list