[Python-Dev] PEP 493: HTTPS verification migration tools for Python 2.7

[Nick Coghlan]

On 24 February 2016 at 21:28, Cory Benfield <cory at lukasa.co.uk> wrote:

>
> > On 24 Feb 2016, at 10:32, Nick Coghlan <ncoghlan at gmail.com> wrote:
> >
> > Security Considerations
> > -----------------------
> >
> > Relative to the behaviour in Python 3.4.3+ and Python 2.7.9->2.7.11, this
> > approach does introduce a new downgrade attack against the default
> security
> > settings that potentially allows a sufficiently determined attacker to
> revert
> > Python to the default behaviour used in CPython 2.7.8 and earlier
> releases.
> > However, such an attack requires the ability to modify the execution
> > environment of a Python process prior to the import of the ``ssl``
> module,
> > and any attacker with such access would already be able to modify the
> > behaviour of the underlying OpenSSL implementation.
> >
>
> I’m not entirely sure this is accurate. Specifically, an attacker that is
> able to set environment variables but nothing else (no filesystem access)
> would be able to disable hostname validation.


... for SSL contexts that aren't explicitly enabling it.


> To my knowledge this is the only environment variable that could be set
> that would do that.
>
> It’s just worth noting here that this potentially opens a little crack in
> Python’s armour.
>

Only in Python 2.7's, and there we have a much bigger problem with folks
not upgrading past 2.7.8, and with a number of redistributors considering
the change too disruptive to backport as a security fix.

I do think you're right though, so I'll tweak the wording of that section
accordingly.

Cheers,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20160224/e6a68b20/attachment.html>