Author pitrou
Recipients Arfrever, alex, christian.heimes, dstufft, giampaolo.rodola, janssen, pitrou, vstinner
Date 2014-10-15.08:12:13
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1413360733.76.0.781196882516.issue22638@psf.upfronthosting.co.za>
In-reply-to
Content
Matthew Green posted a nice explanation of the attack:
http://blog.cryptographyengineering.com/2014/10/attack-of-week-poodle.html

In short, currently it requires injection of code into the "browser" (i.e. SSL client) to be exploitable. While that's easy on the WWW, it's not necessarily possible with other protocols.

I think we could strengthen all stdlib *servers* because third-party clients are generally more up-to-date than third-party servers, so we risk less disruption. That may involve a separate _create_stdlib_server_context() function.

Besides, I think that, independently of this, we could strengthen _create_stdlib_context() in 3.5.
History
Date User Action Args
2014-10-15 08:12:13pitrousetrecipients: + pitrou, janssen, vstinner, giampaolo.rodola, christian.heimes, Arfrever, alex, dstufft
2014-10-15 08:12:13pitrousetmessageid: <1413360733.76.0.781196882516.issue22638@psf.upfronthosting.co.za>
2014-10-15 08:12:13pitroulinkissue22638 messages
2014-10-15 08:12:13pitroucreate