[Twisted-web] Nginx vs Twisted Web

Glyph glyph at twistedmatrix.com
Mon Jul 8 09:18:12 MDT 2013


On Jul 7, 2013, at 11:09 AM, zooko <zooko at zooko.com> wrote:

> Oh, there are some potential security problems, too, with Twisted Web! In its
> default configuration it offers to use single-DES for encryption, which is a
> bad idea even though it isn't clear (to me) whether an attacker could take
> advantage of that.
> 
> http://twistedmatrix.com/trac/ticket/5514
> 
> It also has compression turned on, apparently, which could lead to a
> vulnerability in very specific circumstances (called "CRIME"), and it by
> default supports RC4, which has recently been condemned by cryptographers as
> potentially unsafe.
> 
> Also, it does not, at least with default configuration, support forward
> secrecy.

As far as I understand it, these are all just bad defaults that Twisted inherits from OpenSSL, and whoever built your particular OpenSSL.  (I'm pretty sure there are compile-time options for OpenSSL to not include DES, or at least to disable it by default.)  That's not to say that we shouldn't offer *better* defaults, but Twisted is not a cryptography library, and for better or worse we rely on OpenSSL's judgement because it's currently the only crypto library we support.

Twisted should have a better cipher-suite defaults and some better command-line options for 'twistd web' (probably in the form of better options for the SSL string endpoint syntax) for modifying those defaults if the user has a good reason to.  But really, it would be nicer to just defer to the judgement of a transport layer security library that has *good* judgement about defaults rather than re-hashing every questionable decision that OpenSSL makes.

-glyph


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://twistedmatrix.com/pipermail/twisted-web/attachments/20130708/219257a0/attachment.html>


More information about the Twisted-web mailing list