Message229408
Matthew Green posted a nice explanation of the attack:
http://blog.cryptographyengineering.com/2014/10/attack-of-week-poodle.html
In short, currently it requires injection of code into the "browser" (i.e. SSL client) to be exploitable. While that's easy on the WWW, it's not necessarily possible with other protocols.
I think we could strengthen all stdlib *servers* because third-party clients are generally more up-to-date than third-party servers, so we risk less disruption. That may involve a separate _create_stdlib_server_context() function.
Besides, I think that, independently of this, we could strengthen _create_stdlib_context() in 3.5. |
|
Date |
User |
Action |
Args |
2014-10-15 08:12:13 | pitrou | set | recipients:
+ pitrou, janssen, vstinner, giampaolo.rodola, christian.heimes, Arfrever, alex, dstufft |
2014-10-15 08:12:13 | pitrou | set | messageid: <1413360733.76.0.781196882516.issue22638@psf.upfronthosting.co.za> |
2014-10-15 08:12:13 | pitrou | link | issue22638 messages |
2014-10-15 08:12:13 | pitrou | create | |
|