bugs.python.org still stuck on deprecated and insecure TLS 1.0 resulting in SSL_ERROR_UNSUPPORTED_VERSION on clients with POODLE mitigations #13
Description
On the same general topic and scope as #4 (TLS problems with bugs.python.org) but not the same issue, so reported here—hopefully this is the right place.
To help mitigate POODLE and similar attacks, I've had TLS 1,0 disabled in my browser for a long time now. To my shock, despite not having a problem with such on virtually every other site of significance, I received a SSL_ERROR_UNSUPPORTED_VERSION error when attempting to load bugs.python.org. Sure enough, when I re-enabled it to test, the site was indeed using TLS 1.0.
I've always strongly the PSF's efforts to get the community ported over to Python 3 on a reasonable schedule and as a member of the core dev team of Spyder, the premiere open-source data science IDE for and in Python, I've spearheaded the effort to plan for dropping Py2.7 support entirely on or before the PSF EOL deadline. Therefore, it is simply inconceivable to me why its very own bug tracker site doesn't support, much less enforce, a standard (TLS 1.1) finalized well over two and a half years before Python 3's first release and over four before Py2.7; even TLS 1.2, still the current standard, was released several months before Python 3 and several years before Python 2.7. This is particularly jarring since this is an incremental infrastructure upgrade, rather than a major porting effort involving every line of code, and rather than just being out of date is acutely vulnerable to real-world attacks.
Therefore, it seems rather pressing that the site migrate to a modern SSL library that supports secure versions of TLS, i.e. 1,2, as soon as practicable. Unfortunately, I won't be able to be of much help effecting that as I'm a scientist first, a programmer second and a DevOps specialist...well, really not at all, but I wanted to surface the issue so those responsible were aware. Thanks!