[issue22638] ssl module: the SSLv3 protocol is vulnerable ("POODLE" attack)
Antoine Pitrou
report at bugs.python.org
Wed Oct 15 10:12:13 CEST 2014
Antoine Pitrou added the comment:
Matthew Green posted a nice explanation of the attack:
http://blog.cryptographyengineering.com/2014/10/attack-of-week-poodle.html
In short, currently it requires injection of code into the "browser" (i.e. SSL client) to be exploitable. While that's easy on the WWW, it's not necessarily possible with other protocols.
I think we could strengthen all stdlib *servers* because third-party clients are generally more up-to-date than third-party servers, so we risk less disruption. That may involve a separate _create_stdlib_server_context() function.
Besides, I think that, independently of this, we could strengthen _create_stdlib_context() in 3.5.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue22638>
_______________________________________
More information about the Python-bugs-list
mailing list