[Twisted-Python] Clarification for IReactorSSL.ListenSSL(...)

Trevor Perrin trevp at trevp.net
Sat Apr 10 15:19:10 MDT 2004


At 04:59 PM 4/10/2004 +0000, Carl Waldbieser wrote:
>[...]
>The project I am working on is still in its very early stages, so integration
>is not so much of a problem.  I simply lack comprehensive knowledge on issues
>related to security, as well as implementation knowledge.

If I can help, I'm happy to answer questions here or off-list.


>In a nutshell, we are attempting to pass some small but sensitive info
>(username/password) from a client in a DMZ to a server sitting in a trusted
>network.  Even without a strong background in computer security, I am able to
>recognize that that sounds pretty insecure, which is why I am exploring the
>possibility of XMLRPC over HTTPs.

Are you trying to pass the username/password to the server, or 
*authenticate* with the username/password?

If the latter, there are protocols like SRP which let you do mutual 
authentication with a password without sending it over the network - 
basically, each side proves to the other that it knows the password, 
without exposing the password in any way.

So you get strong mutual authentication, but you don't have to mess with 
certs.  TLS Lite provides this, if you're interested.

Trevor 





More information about the Twisted-Python mailing list