[Twisted-web] Nginx vs Twisted Web
zooko
zooko at zooko.com
Sun Jul 7 12:09:39 MDT 2013
My startup company, https://LeastAuthority.com, uses Twisted Web for the
public-facing web server and the customer signup server. We chose it for
security. Even though we like nginx and use nginx for other purposes (e.g.
https://tahoe-lafs.org), we think the Twisted codebase is less likely to harbor
exploitable bugs, in part because it is written in Python instead of C, and in
part because it has fewer features. Also, because the Twisted development
process seems likely to limit the rate of dangerous bugs being added in new
releases.
On the topic of reliability, the way we use it is just to start it with a
cronjob when the server boots up. The Twisted Web process has never yet died of
its own accord, and if it ever did we would manually restart it, and
investigate in the attempt to ascertain what had happened, rather than just
automatically restart it.
Oh, there are some potential security problems, too, with Twisted Web! In its
default configuration it offers to use single-DES for encryption, which is a
bad idea even though it isn't clear (to me) whether an attacker could take
advantage of that.
http://twistedmatrix.com/trac/ticket/5514
It also has compression turned on, apparently, which could lead to a
vulnerability in very specific circumstances (called "CRIME"), and it by
default supports RC4, which has recently been condemned by cryptographers as
potentially unsafe.
Also, it does not, at least with default configuration, support forward
secrecy.
Here's a report from ssllabs.com about the settings of
https://LeastAuthority.com:
https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Fleastauthority.com
Although I would like to see those things improved (I would like for the report
to look more like this:
https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Fzooko.com , which
is an nginx installation), none of them are as important to us as reducing the
chance that an attacker could exploit a bug in the software to gain access to
the server.
Regards,
Zooko
More information about the Twisted-web
mailing list