[Twisted-Python] AutobahnPython 0.6.3 - WebSocket compression and more

exarkun at twistedmatrix.com exarkun at twistedmatrix.com
Sun Oct 6 18:23:22 MDT 2013


On 6 Oct, 11:02 pm, tobias.oberstein at tavendo.de wrote:
>>>Personally, I assume root CA private keys of any CA vendor are owned 
>>>by
>>>the NSA anyway.
>>
>>There's no rule that says you have to use a "root CA" signed 
>>certificate
>>for your TLS connections.
>
>Sure, in theory, but there are multiple practical problems when using
>self-signed certs or certs signed by a CA not built into browsers. As a
>starter, here are 3:
>
>- enterprise networks might block those right away with no way for the 
>user
>to accept self-signed or import alien CA certs
>- the user experience is bad: Firefox scares with dialogs and multiple 
>steps
>of overcoming those
>- with WebSocket, browers will not even show a dialog! WebSocket are so
>called "subresources", and browsers will never render dialogs for these
>
>So in practice, I _have_ to use a CA that is built into all major 
>browsers.

You're assuming a lot here.  Perhaps TLS is broken for all the uses 
you're interested in - that doesn't mean it's broken for everyone else's 
uses.

*This* is probably now sufficiently off-topic, though...

Jean-Paul
>/Tobias
>>
>>Jean-Paul
>>>Really, TLS is broken.
>>>
>>>We need a new scheme. For encryption session keys, Diffie-Hellman is
>>>available, and provides perfect forward secrecy naturally.
>>>
>>>For authentication, we need a peer-based system like PGP has, not
>>>relying on centrally managed trust.
>>>
>>>I know. Not going to happen any time soon ..
>>>
>>>/Tobias
>>
>>_______________________________________________
>>Twisted-Python mailing list
>>Twisted-Python at twistedmatrix.com
>>http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>
>
>_______________________________________________
>Twisted-Python mailing list
>Twisted-Python at twistedmatrix.com
>http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python



More information about the Twisted-Python mailing list