Python Update Limits Risk of POODLE Attacks

NEWS ANALYSIS: Python 2.x was supposed to be long gone by now. Instead, it's getting security fixes to keep legacy users current.

Download the authoritative guide: How to Develop an IT Security Strategy

Python update

Python 3 was first released six years ago and, at the time, the plan was for Python 2.x to eventually disappear. That hasn't happened.

Instead, Python 2.x is still widely used (many parts of the open-source OpenStack cloud platform rely on it, for example), and on Dec. 10 Python 2.7.9 was released, providing all manner of bug fixes to keep Python 2.x users somewhat up to date.

The biggest change is that the Python 3.4 SSL (Secure Sockets Layer) module is now included in Python 2.7.9. Additionally, SSL 3 support has been disabled to limit the risk of the POODLE attack. The POODLE attack is a flaw in the legacy SSL 3.0 cryptographic protocol that was first reported by Google on Oct. 13. That means that Python 2.x users have been at risk from a potential POODLE attack for nearly two months. The good news, though, is that POODLE attacks have not yet been publicly reported in the wild.

The fact that the open-source Python community decided to drop support for SSL 3.0 and to backboard the full SSL module from the newer Python 3.4 release is interesting and noteworthy for a number of reasons.

Python 2.7 itself was first released in 2010 and was supposed to be the last major release of Python 2.x. Python 2.7 was not originally supposed to get backports from Python 3.

The Python community adds feature requests by way of Python Enhancement Proposals, or PEPs. PEP 466 outlines the overall rationale for backporting Network Security Enhancements for Python 2.7.x.

"In recognition of the additional practical considerations that have arisen during the 4+ year maintenance cycle for Python 2.7, this PEP allows a critical set of network security related features to be backported from Python 3.4 to upcoming Python 2.7.x maintenance releases," PEP 466 states.

What Python developers recognized with PEP 466 is the simple truth that keeping old security components in currently running technology is not a good best practice for its community. PEP 466 notes that the SSL module in Python 2.7.x was already four years old, using features that had been locked in six years ago.

"These are simply too old to provide a foundation that can be recommended in good conscience for secure networking software that operates over the public internet," PEP 466 states. "While they represented reasonable security infrastructure in their time, the state of the art has moved on, and we need to investigate mechanisms for effectively providing more up to date network security infrastructure for users that, for whatever reason, are not currently in a position to migrate to Python 3."

PEP 466, however, is not a blank slate for backporting whatever any individual developer wants in Python 2.7.x. "Every new feature proposed for backporting will still need to be justified independently," the PEP notes.

Whether the security issue is POODLE or another issue yet to be publicly disclosed, the simple reality is that old software is still running on lots of production deployments. Some vendors pick arbitrary dates and end-of-life products. Case in point is Microsoft's Windows XP, which no longer receives security updates, though it is likely still deployed in homes and offices around the world.

Rather than stick its metaphorical head in the mud, the open-source Python community is taking a mature and responsible approach. Sure, Python as a project could just stop providing legacy support for Python 2.x, in effect forcing users to migrate to Python 3.x. The reality though is that it's not always possible to migrate—for any number of reasons. Python isn't just a hobbyist project; it's an open-source language that runs applications and the cloud.

The challenge of maintaining old software is not an easy one. Even four years after what was supposed to be the final major update for Python 2.x, it still remains widely deployed. As an open-source effort that isn't driven by the whims of any one commercial software vendor, Python isn't motivated by an economic incentive either. The Python 2.7.9 security fixes and backports are motivated by one simple goal: to do what's right for the security of the Internet.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.