[Twisted-Python] Potential PB Security Problem (And Solution)
Glyph Lefkowitz
glyph at twistedmatrix.com
Sat Feb 16 12:59:09 EST 2002
On Sat, 2002-02-16 at 06:39, Donovan Baarda wrote:
> On Sat, Feb 16, 2002 at 05:42:48AM -0600, Glyph Lefkowitz wrote:
> > There are two kinds of "who" here. One "who" is to know the objects
> > that will have knowledge of your object. That's encapsulation, which is
> > all well and good, but we break it sometimes, for various reasons;
> > python's nifty because it lets us do that when necessary. The other
> > "who" is more important, though: it's the actual *people* that will have
> > access to the information that you're sending through that method call.
>
> coming completely out of the blue with no experience or understanding to
> give me enough qualifications to even comment (but doing it anyway :-).
>
> Just a thought; why is a local object any more trustworthy than a remote
> one? To me the local vs remote trust boundary seem to be a bit arbitary. It
> is better to think about the trust relationship between the objects than
> where they are located. Why and how do the objects trust each other?
You're confusing "objects" and "people".
I don't trust the remote objects because (A) the communication to them
is potentially visible over the wire and (B) they don't actually exist
on physical hardware I control, e.g. their behavior might have been
tampered with. They are under the complete control of another person,
who might as well be speaking the wire-protocol personally.
Thinking from a security viewpoint, they *have* already been tampered
with, and the question is "how do I reduce the impact of that on my
service?".
> Perhaps this _can_ be reduced to "Because it's local and hence I or some
> other local object I trust created it". However, I think once you start
> going down the path of secure transactions between objects, it's better to
> try and provide a generalised solution. There are various ways that
> authenticated and secured communications between objects can be implemented,
> and perhaps even made "translucent".
What gave you the idea we were talking about secure distributed
transactions? I'm just talking about making our current implementation
of remote communications more secure (by default).
--
"Cannot stand to be one of many -- I'm not what they are."
-Guster, "Rocketship"
glyph lefkowitz; ninjaneer, freelance demiurge
glyph @ [ninjaneering|twistedmatrix].com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
Url : http://twistedmatrix.com/pipermail/twisted-python/attachments/20020216/41584f64/attachment.pgp
More information about the Twisted-Python
mailing list