[Python-Dev] PEP 493: HTTPS verification migration tools for Python 2.7
Cory Benfield
cory at lukasa.co.uk
Wed Feb 24 06:28:27 EST 2016
> On 24 Feb 2016, at 10:32, Nick Coghlan <ncoghlan at gmail.com> wrote:
>
> Security Considerations
> -----------------------
>
> Relative to the behaviour in Python 3.4.3+ and Python 2.7.9->2.7.11, this
> approach does introduce a new downgrade attack against the default security
> settings that potentially allows a sufficiently determined attacker to revert
> Python to the default behaviour used in CPython 2.7.8 and earlier releases.
> However, such an attack requires the ability to modify the execution
> environment of a Python process prior to the import of the ``ssl`` module,
> and any attacker with such access would already be able to modify the
> behaviour of the underlying OpenSSL implementation.
>
I’m not entirely sure this is accurate. Specifically, an attacker that is able to set environment variables but nothing else (no filesystem access) would be able to disable hostname validation. To my knowledge this is the only environment variable that could be set that would do that.
It’s just worth noting here that this potentially opens a little crack in Python’s armour.
Cory
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/python-dev/attachments/20160224/4511e20b/attachment.sig>
More information about the Python-Dev
mailing list