[Python-checkins] peps: PEP 493: clarify a security caveat

[nick.coghlan]

https://hg.python.org/peps/rev/a24451715d84
changeset:   6245:a24451715d84
user:        Nick Coghlan <ncoghlan at gmail.com>
date:        Thu Feb 25 18:21:44 2016 +1000
summary:
  PEP 493: clarify a security caveat

files:
  pep-0493.txt |  17 +++++++++++++----
  1 files changed, 13 insertions(+), 4 deletions(-)


diff --git a/pep-0493.txt b/pep-0493.txt
--- a/pep-0493.txt
+++ b/pep-0493.txt
@@ -246,10 +246,19 @@
 approach does introduce a new downgrade attack against the default security
 settings that potentially allows a sufficiently determined attacker to revert
 Python to the default behaviour used in CPython 2.7.8 and earlier releases.
-However, such an attack requires the ability to modify the execution
-environment of a Python process prior to the import of the ``ssl`` module,
-and any attacker with such access would already be able to modify the
-behaviour of the underlying OpenSSL implementation.
+
+This slight increase in the available attack surface is the main reason why:
+
+* security sensitive applications should still define their own SSL context
+* the migration features described in this PEP are not being added to Python 3
+
+However, it's also worth keeping in mind that carrying out such an attack
+requires the ability to modify the execution environment of a Python process
+prior to the import of the ``ssl`` module. In combination with the ability
+to write to any part of the filesystem (such as ``/tmp``), any attacker with
+such access would already be able to modify the behaviour of the underlying
+OpenSSL implementation, the dynamic library loader, and other potentially
+security sensitive components.
 
 Interaction with Python virtual environments
 --------------------------------------------

-- 
Repository URL: https://hg.python.org/peps