[Twisted-Python] AutobahnPython 0.6.3 - WebSocket compression and more
Tobias Oberstein
tobias.oberstein at tavendo.de
Sun Oct 6 08:51:47 MDT 2013
>.. , since I like compression but I also send credentials over TLS :)
IMHO, credentials should never be sent over the wire (be it encrypted or not) and never be stored in plaintext.
FWIW, Autobahn provides a challenge-response authentication scheme ("WAMP_CRA") that also allows for salted/hashed passwords (pbkdf2-based) for WebSocket/WAMP.
With TLS, and in a Post-Snowden era, how do you know your TLS server isn't impersonated and encryption broken?
Personally, I assume root CA private keys of any CA vendor are owned by the NSA anyway.
Really, TLS is broken.
We need a new scheme. For encryption session keys, Diffie-Hellman is available, and provides perfect forward secrecy naturally.
For authentication, we need a peer-based system like PGP has, not relying on centrally managed trust.
I know. Not going to happen any time soon ..
/Tobias
More information about the Twisted-Python
mailing list