PEP 493: clarify a security caveat

2016-02-25 18:21:44 +10:00 · 2016-02-25 18:21:44 +10:00 · a283db8c30
parent 9c4c3a39c7
commit a283db8c30
1 changed files with 13 additions and 4 deletions
--- a/pep-0493.txt
+++ b/pep-0493.txt
@ -246,10 +246,19 @@ Relative to the behaviour in Python 3.4.3+ and Python 2.7.9->2.7.11, this
 approach does introduce a new downgrade attack against the default security
 settings that potentially allows a sufficiently determined attacker to revert
 Python to the default behaviour used in CPython 2.7.8 and earlier releases.
-However, such an attack requires the ability to modify the execution
-environment of a Python process prior to the import of the ``ssl`` module,
-and any attacker with such access would already be able to modify the
-behaviour of the underlying OpenSSL implementation.
+
+This slight increase in the available attack surface is the main reason why:
+
+* security sensitive applications should still define their own SSL context
+* the migration features described in this PEP are not being added to Python 3
+
+However, it's also worth keeping in mind that carrying out such an attack
+requires the ability to modify the execution environment of a Python process
+prior to the import of the ``ssl`` module. In combination with the ability
+to write to any part of the filesystem (such as ``/tmp``), any attacker with
+such access would already be able to modify the behaviour of the underlying
+OpenSSL implementation, the dynamic library loader, and other potentially
+security sensitive components.

 Interaction with Python virtual environments
 --------------------------------------------