Author pitrou
Recipients Arfrever, alex, christian.heimes, dstufft, giampaolo.rodola, janssen, pitrou, vstinner
Date 2014-10-15.08:12:13
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
Matthew Green posted a nice explanation of the attack:

In short, currently it requires injection of code into the "browser" (i.e. SSL client) to be exploitable. While that's easy on the WWW, it's not necessarily possible with other protocols.

I think we could strengthen all stdlib *servers* because third-party clients are generally more up-to-date than third-party servers, so we risk less disruption. That may involve a separate _create_stdlib_server_context() function.

Besides, I think that, independently of this, we could strengthen _create_stdlib_context() in 3.5.
Date User Action Args
2014-10-15 08:12:13pitrousetrecipients: + pitrou, janssen, vstinner, giampaolo.rodola, christian.heimes, Arfrever, alex, dstufft
2014-10-15 08:12:13pitrousetmessageid: <>
2014-10-15 08:12:13pitroulinkissue22638 messages
2014-10-15 08:12:13pitroucreate