This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author Alex.Stapleton
Recipients Alex.Stapleton, alex, christian.heimes, dstufft, ncoghlan, pitrou
Date 2014-03-20.15:28:02
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1395329282.26.0.250195780482.issue20994@psf.upfronthosting.co.za>
In-reply-to
Content 
CRIME is not universally applicable to all TLS connections and it requires some cooperation from the application to work. In fact for a Python TLS client it seems quite unlikely for an application to be vulnerable. The attack in the paper leverages an insecure website to inject JavaScript to issue crafted requests to a secure one. i.e. It requires both compression and some degree of remote code execution to work. Perhaps there are ways to extend the attack to apply to more common Python TLS client usage though?

Also some users will absolutely want to manually re-enable compression, please don't disable it entirely.
History
Date User Action Args
2014-03-20 15:28:02Alex.Stapletonsetrecipients: + Alex.Stapleton, ncoghlan, pitrou, christian.heimes, alex, dstufft
2014-03-20 15:28:02Alex.Stapletonsetmessageid: <1395329282.26.0.250195780482.issue20994@psf.upfronthosting.co.za>
2014-03-20 15:28:02Alex.Stapletonlinkissue20994 messages
2014-03-20 15:28:02Alex.Stapletoncreate