[Twisted-Python] Is AMP secure enough for the internet?

Attila Nagy bra at fsn.hu
Sat Feb 27 16:59:46 EST 2010


I'm planning a data collector gateway and wondering whether Twisted's
AMP would be good for the task.
AMP seems to be a good fit for the job, but I'm not sure about the
security. I make the client side too, but I won't operate it, bad guys
can take over that side and I want to protect my side.

What would I like to do:
1. authenticate and authorize connecting clients with their SSL certificates
2. securely transfer arbitrary (binary and json) data from and to the
clients (both the server and client would be twisted)
3. protect the server from malicious clients

I have some concerns about all three. For the first, is this OK now:
http://twistedmatrix.com/pipermail/twisted-python/2007-August/015926.html ?
For the second: the server should not be affected by the data which the
client sends. I mean exploiting bugs in the data paths and limited
protection from DoS, like abusing blocking pieces of code and therefore
halting the reactor, or preventing memory overflow (if it sends 3TBs of
data, it shouldn't be queued up in RAM, I should be in control about
what happens in this case, or twisted should be clear measures for
these) etc...
And by the third I mean the above, plus for example if I have only one
command defined for AMP with one string argument then no matter what
happens, the client should only access that function  with that argument
and no other part of the program.

How do you feel, is Twisted and AMP a good choice for that?


More information about the Twisted-Python mailing list