[Twisted-web] Nginx vs Twisted Web
Glyph
glyph at twistedmatrix.com
Mon Jul 8 09:18:12 MDT 2013
On Jul 7, 2013, at 11:09 AM, zooko <zooko at zooko.com> wrote:
> Oh, there are some potential security problems, too, with Twisted Web! In its
> default configuration it offers to use single-DES for encryption, which is a
> bad idea even though it isn't clear (to me) whether an attacker could take
> advantage of that.
>
> http://twistedmatrix.com/trac/ticket/5514
>
> It also has compression turned on, apparently, which could lead to a
> vulnerability in very specific circumstances (called "CRIME"), and it by
> default supports RC4, which has recently been condemned by cryptographers as
> potentially unsafe.
>
> Also, it does not, at least with default configuration, support forward
> secrecy.
As far as I understand it, these are all just bad defaults that Twisted inherits from OpenSSL, and whoever built your particular OpenSSL. (I'm pretty sure there are compile-time options for OpenSSL to not include DES, or at least to disable it by default.) That's not to say that we shouldn't offer *better* defaults, but Twisted is not a cryptography library, and for better or worse we rely on OpenSSL's judgement because it's currently the only crypto library we support.
Twisted should have a better cipher-suite defaults and some better command-line options for 'twistd web' (probably in the form of better options for the SSL string endpoint syntax) for modifying those defaults if the user has a good reason to. But really, it would be nicer to just defer to the judgement of a transport layer security library that has *good* judgement about defaults rather than re-hashing every questionable decision that OpenSSL makes.
-glyph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://twistedmatrix.com/pipermail/twisted-web/attachments/20130708/219257a0/attachment.html>
More information about the Twisted-web
mailing list