[Twisted-Python] Re: cred and stateless protocols

Manlio Perillo manlio_perillo at libero.it
Mon May 8 02:17:43 MDT 2006


jarrod roberson ha scritto:
> [...]
>     I simply have seen an UDP protocol that uses sessions to identify each
>     request.
>     The session is obtained after an authentication phase.
> 
> 
> if the sesssion id never changes I am SURE you have seen an insecure UDP
> protocol

Of course, as the 90% of internet (as far as I have seen)..

> which means unless the client and server are generating dynamic single
> use tokens and "know" what the next valid session id the client should
> send, which implies encryption plus authenticaiton on every request.
> 
>     Since I think that the procedure is similar to HTTP session handling, I
>     was asking if there is some reusable support for creating "secure"
>     session id and if cred has some support for this.
> 
> 
> 
> you still don't understand STATE != Authentication.
> 
> ANYONE can sniff the packets, get whatever token or breadcrumb you are
> using for the state id and spoof it.
> that is unless you REQUIRE authentication on every request. "secure"
> session id's imply a form of authenticaiton on every request.
> 

Ok, but this implies (with simple authentication scheme like HTTP) to
double the number of requests/reponses.

And what if the authentication protocol is more complex?

> you can't just "encrypt" a string and call it a "secure" session id.
> 

But I can generate a "secure" session and use it for encrypt every
request/response.

Or, more simply, one can use SSL.

Unfortunately many web site not use SSL or use only HTTP Base
Authentication...


By the way:
for user tracking in UDP, why not just use the peer address?



Thanks and regards  Manlio Perillo




More information about the Twisted-Python mailing list