This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author dstufft
Recipients christian.heimes, dstufft, ncoghlan, pitrou
Date 2014-03-20.13:53:35
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1395323616.33.0.927638655451.issue20994@psf.upfronthosting.co.za>
In-reply-to
Content 
Since Python 3.3 the ssl module has supported the ability to opt in to disabling TLS Compression [1]. However TLS Compression has the problem that it typically leaks data through an attack known as CRIME. CRIME is specific to HTTP but the type of attack it employs is not.

I believe that CPython should just flat out disable TLS Compression and it should do so in all currently active branches (2.7, 3.2+). The patch is fairly minor however there is the question of how that should be handled in 3.3+ where there would be a now useless flag and method on SSLContext. The likelhood for breakage is fairly low and all modern browsers have already permanently disabled it.

[1] http://bugs.python.org/issue13634
History
Date User Action Args
2014-03-20 13:53:36dstufftsetrecipients: + dstufft, ncoghlan, pitrou, christian.heimes
2014-03-20 13:53:36dstufftsetmessageid: <1395323616.33.0.927638655451.issue20994@psf.upfronthosting.co.za>
2014-03-20 13:53:36dstufftlinkissue20994 messages
2014-03-20 13:53:35dstufftcreate