[Python-Dev] PEP 493: HTTPS verification migration tools for Python 2.7 (original) (raw)

Nick Coghlan ncoghlan at gmail.com
Wed Feb 24 06:42:49 EST 2016

On 24 February 2016 at 21:28, Cory Benfield <cory at lukasa.co.uk> wrote:

> On 24 Feb 2016, at 10:32, Nick Coghlan <ncoghlan at gmail.com> wrote: > > Security Considerations > ----------------------- > > Relative to the behaviour in Python 3.4.3+ and Python 2.7.9->2.7.11, this > approach does introduce a new downgrade attack against the default security > settings that potentially allows a sufficiently determined attacker to revert > Python to the default behaviour used in CPython 2.7.8 and earlier releases. > However, such an attack requires the ability to modify the execution > environment of a Python process prior to the import of the ssl module, > and any attacker with such access would already be able to modify the > behaviour of the underlying OpenSSL implementation. > I’m not entirely sure this is accurate. Specifically, an attacker that is able to set environment variables but nothing else (no filesystem access) would be able to disable hostname validation.

... for SSL contexts that aren't explicitly enabling it.

To my knowledge this is the only environment variable that could be set that would do that.

It’s just worth noting here that this potentially opens a little crack in Python’s armour.

Only in Python 2.7's, and there we have a much bigger problem with folks not upgrading past 2.7.8, and with a number of redistributors considering the change too disruptive to backport as a security fix.

I do think you're right though, so I'll tweak the wording of that section accordingly.

Cheers, Nick.

-- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20160224/e6a68b20/attachment.html>

More information about the Python-Dev mailing list