[Twisted-Python] AutobahnPython 0.6.3 - WebSocket compression and more
Tobias Oberstein
tobias.oberstein at tavendo.de
Sun Oct 6 17:02:13 MDT 2013
>> Personally, I assume root CA private keys of any CA vendor are owned by
>> the NSA anyway.
>
> There's no rule that says you have to use a "root CA" signed certificate
> for your TLS connections.
Sure, in theory, but there are multiple practical problems when using
self-signed certs or certs signed by a CA not built into browsers. As a
starter, here are 3:
- enterprise networks might block those right away with no way for the user
to accept self-signed or import alien CA certs
- the user experience is bad: Firefox scares with dialogs and multiple steps
of overcoming those
- with WebSocket, browers will not even show a dialog! WebSocket are so
called "subresources", and browsers will never render dialogs for these
So in practice, I _have_ to use a CA that is built into all major browsers.
/Tobias
>
> Jean-Paul
>> Really, TLS is broken.
>>
>> We need a new scheme. For encryption session keys, Diffie-Hellman is
>> available, and provides perfect forward secrecy naturally.
>>
>> For authentication, we need a peer-based system like PGP has, not
>> relying on centrally managed trust.
>>
>> I know. Not going to happen any time soon ..
>>
>> /Tobias
>
> _______________________________________________
> Twisted-Python mailing list
> Twisted-Python at twistedmatrix.com
> http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>
More information about the Twisted-Python
mailing list