Message 149836 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	naif
Recipients	jcea, naif, pitrou
Date	2011-12-19.10:53:35
SpamBayes Score	2.3761764e-08
Marked as misclassified	No
Message-id	<1324292016.82.0.631284256073.issue13627@psf.upfronthosting.co.za>
In-reply-to

Content
The Tor Project is composed of Cryptography experts, thus i am opening that ticket cause with our group we're implementing Tor2web based on Python that require strict security requirements for crypto. The Tor Project heavily use Python for most of tools. If you want we can open a discussion within Tor Project to have a "rationale method" to define a set of "default ciphers" considering the ration of security/performance/compatibility. That way anyone using Python SSL/TLS will be sure in using a "Secure system" without the risk of legacy protocol such as SSLv2 or insecure ciphers like Export 40bit DES that are nowdays enabled by default. Today a Python coder approaching SSL/TLS will have an insecurely configured TLS connection that can be hijacked via SSLv2 protocol or cracked via 40bit DES. Even Firefox, Chrome, IE, Opera disable by default certain protocols and certain ciphers, so imho it would be valuable to have a "Secure default", obviously considering and maintaining compatibility. What do you think?

The Tor Project is composed of Cryptography experts, thus i am opening that ticket cause with our group we're implementing Tor2web based on Python that require *strict* security requirements for crypto.

The Tor Project heavily use Python for most of tools.

If you want we can open a discussion within Tor Project to have a "rationale method" to define a set of "default ciphers" considering the ration of security/performance/compatibility.

That way anyone using Python SSL/TLS will be sure in using a "Secure system" without the risk of legacy protocol such as SSLv2 or insecure ciphers like Export 40bit DES that are nowdays enabled by default.

Today a Python coder approaching SSL/TLS will have an insecurely configured TLS connection that can be hijacked via SSLv2 protocol or cracked via 40bit DES. 

Even Firefox, Chrome, IE, Opera disable by default certain protocols and certain ciphers, so imho it would be valuable to have a "Secure default", obviously considering and maintaining compatibility.

What do you think?

History
Date	User	Action	Args
2011-12-19 10:53:36	naif	set	recipients: + naif, jcea, pitrou
2011-12-19 10:53:36	naif	set	messageid: <1324292016.82.0.631284256073.issue13627@psf.upfronthosting.co.za>
2011-12-19 10:53:36	naif	link	issue13627 messages
2011-12-19 10:53:35	naif	create