[Twisted-Python] AutobahnPython 0.6.3 - WebSocket compression and more

Tobias Oberstein tobias.oberstein at tavendo.de
Sun Oct 6 17:02:13 MDT 2013


>> Personally, I assume root CA private keys of any CA vendor are owned by
>> the NSA anyway.
> 
> There's no rule that says you have to use a "root CA" signed certificate
> for your TLS connections.

Sure, in theory, but there are multiple practical problems when using
self-signed certs or certs signed by a CA not built into browsers. As a
starter, here are 3:

- enterprise networks might block those right away with no way for the user
to accept self-signed or import alien CA certs
- the user experience is bad: Firefox scares with dialogs and multiple steps
of overcoming those
- with WebSocket, browers will not even show a dialog! WebSocket are so
called "subresources", and browsers will never render dialogs for these

So in practice, I _have_ to use a CA that is built into all major browsers.

/Tobias

> 
> Jean-Paul
>> Really, TLS is broken.
>> 
>> We need a new scheme. For encryption session keys, Diffie-Hellman is
>> available, and provides perfect forward secrecy naturally.
>> 
>> For authentication, we need a peer-based system like PGP has, not
>> relying on centrally managed trust.
>> 
>> I know. Not going to happen any time soon ..
>> 
>> /Tobias
> 
> _______________________________________________
> Twisted-Python mailing list
> Twisted-Python at twistedmatrix.com
> http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
> 





More information about the Twisted-Python mailing list