[Twisted-Python] AutobahnPython 0.6.3 - WebSocket compression and more

exarkun at twistedmatrix.com exarkun at twistedmatrix.com
Sun Oct 6 15:26:29 MDT 2013


On 02:51 pm, tobias.oberstein at tavendo.de wrote:
>>.. , since I like compression but I also send credentials over TLS :)
>
>IMHO, credentials should never be sent over the wire (be it encrypted 
>or not) and never be stored in plaintext.
>
>FWIW, Autobahn provides a challenge-response authentication scheme 
>("WAMP_CRA") that also allows for salted/hashed passwords 
>(pbkdf2-based) for WebSocket/WAMP.
>
>With TLS, and in a Post-Snowden era, how do you know your TLS server 
>isn't impersonated and encryption broken?
>
>Personally, I assume root CA private keys of any CA vendor are owned by 
>the NSA anyway.

There's no rule that says you have to use a "root CA" signed certificate 
for your TLS connections.

Jean-Paul
>Really, TLS is broken.
>
>We need a new scheme. For encryption session keys, Diffie-Hellman is 
>available, and provides perfect forward secrecy naturally.
>
>For authentication, we need a peer-based system like PGP has, not 
>relying on centrally managed trust.
>
>I know. Not going to happen any time soon ..
>
>/Tobias



More information about the Twisted-Python mailing list