From 940c92ff68d4b1de5d772520b0b148a40d813176 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 19 Feb 2016 06:34:39 -0500 Subject: Several updates to our security docs: - Document what we consider a vulnerability - Update my prefered PGP key identifier - Clarify that we only provide security support for the most recent release (this has empirically been true for all of our releases --- docs/security.rst | 37 +++++++++++++++++++++++++++++++++++-- 1 file changed, 35 insertions(+), 2 deletions(-) (limited to 'docs') diff --git a/docs/security.rst b/docs/security.rst index 13f99960..424fdb6c 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -5,6 +5,39 @@ We take the security of ``cryptography`` seriously. The following are a set of policies we have adopted to ensure that security issues are addressed in a timely fashion. +What is a security issue? +------------------------- + +Anytime it's possible to write code using ``cryptography``'s public API which +does not provide the guarntees that a reasonable developer would expect it to +based on our documentation. + +That's a bit academic, but basically it means the scope of what we consider a +vulnerability is broad, and we do not require a proof of concept or even a +specific exploit, merely a reasonable threat model under which ``cryptography`` +could be attacked. + +To give a few examples of things we would consider security issues: + +* If a recipe, such as Fernet, made it easy for a user to bypass + confidentiality or integrity with the public API (e.g. if the API let a user + reuse nonces). +* If, under any circumstances, we used a CSPRNG which wasn't fork-safe. +* If ``cryptography`` used an API in an underlying C library and failed to + handle error conditions safely. + +Examples of things we wouldn't consider security issues: + +* Offering ECB mode for symmetric encryption. Though ECB is critically weak, it + is documented as being weak in our documentation. +* Using a variable time comparison somewhere, if it's not possible to + articulate any particular program in which this would result in problematic + information disclosure. + +In general, if you're unsure, we request that you to default to treating things +as security issues and handling them sensitively, the worst thing that can +happen is that we'll ask you to file a bug issue. + Reporting a security issue -------------------------- @@ -14,7 +47,7 @@ tracker. If you believe you've identified a security issue with ``cryptography``, please report it to ``alex.gaynor@gmail.com``. Messages may be optionally encrypted with PGP using key fingerprint -``E27D 4AA0 1651 72CB C5D2 AF2B 125F 5C67 DFE9 4084`` (this public key is +``F7FC 698F AAE2 D2EF BECD E98E D1B3 ADC0 E023 8CA6`` (this public key is available from most commonly-used key servers). Once you've submitted an issue via email, you should receive an acknowledgment @@ -25,7 +58,7 @@ Supported Versions ------------------ At any given time, we will provide security support for the `master`_ branch -as well as the 2 most recent releases. +as well as the most recent release. New releases for OpenSSL updates -------------------------------- -- cgit v1.2.3 From ebcd037216a422ac5ac314099c47cbae02705e4c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 19 Feb 2016 07:06:54 -0500 Subject: spelling --- docs/security.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/security.rst b/docs/security.rst index 424fdb6c..f937afb3 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -9,7 +9,7 @@ What is a security issue? ------------------------- Anytime it's possible to write code using ``cryptography``'s public API which -does not provide the guarntees that a reasonable developer would expect it to +does not provide the guarantees that a reasonable developer would expect it to based on our documentation. That's a bit academic, but basically it means the scope of what we consider a -- cgit v1.2.3 From f7721aaaa14f789e911a61e5e946d618521920a9 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 19 Feb 2016 07:11:03 -0500 Subject: Good clarification from @dstufft --- docs/security.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'docs') diff --git a/docs/security.rst b/docs/security.rst index f937afb3..1cc1273d 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -28,8 +28,8 @@ To give a few examples of things we would consider security issues: Examples of things we wouldn't consider security issues: -* Offering ECB mode for symmetric encryption. Though ECB is critically weak, it - is documented as being weak in our documentation. +* Offering ECB mode for symmetric encryption in the *Hazmat* layer. Though ECB + is critically weak, it is documented as being weak in our documentation. * Using a variable time comparison somewhere, if it's not possible to articulate any particular program in which this would result in problematic information disclosure. -- cgit v1.2.3 From 9c4c0dc48ca7815ab80e254e9496b144bec75c8e Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 19 Feb 2016 17:13:38 -0500 Subject: Added a word --- docs/spelling_wordlist.txt | 1 + 1 file changed, 1 insertion(+) (limited to 'docs') diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt index 6def7959..47415a7e 100644 --- a/docs/spelling_wordlist.txt +++ b/docs/spelling_wordlist.txt @@ -45,6 +45,7 @@ multi naïve namespace namespaces +nonces Nonces online paddings -- cgit v1.2.3