[Python-ideas] Secure string disposal (maybe other inmutable seq types too?)
Gregory P. Smith
greg at krypto.org
Sat Jun 23 16:04:01 EDT 2018
On Sat, Jun 23, 2018 at 12:57 PM Christian Heimes <christian at python.org>
> If you need to protect sensitive data like private keys, then don't load
> them into memory of your current process. It's that simple. :) Bugs like
> heartbleed were an issue, because private key were in the same process
> space as the TLS/SSL code. Solutions like gpg-agent, ssh-agent, TPM,
> HSM, Linux's keyring and AF_ALG socket all aim to offload operations
> with private key material into a secure subprocess, Kernel space or
> special hardware.
It is fundamentally impossible for a Python VM (certainly CPython) to
implement any sort of guaranteed erasure of data and/or control over data
to prevent copying that is ever stored in a Python object. This is not
unique to Python. All interpreted and jitted VMs share this trait, as do
most languages with garbage collection. ex: Java, Ruby, Go, etc.
Trying to pretend we could offer tracking and wiping of sensitive data
in-process is harmful at best as it cannot be guaranteed and thus gives the
wrong impression and will lead to misuse by people who ignore that.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Python-ideas