Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #108743 > unrolled thread
| Started by | Grant Edwards <grant.b.edwards@gmail.com> |
|---|---|
| First post | 2016-05-17 14:27 +0000 |
| Last post | 2016-05-22 19:29 +0000 |
| Articles | 4 — 3 participants |
Back to article view | Back to comp.lang.python
This discussion starts older than the indexed window; earlier articles aren't shown. The article labeled Started by
below is the oldest one visible, not the original post.
Re: OT: limit number of connections from browser to my server? Grant Edwards <grant.b.edwards@gmail.com> - 2016-05-17 14:27 +0000
Re: OT: limit number of connections from browser to my server? Gregory Ewing <greg.ewing@canterbury.ac.nz> - 2016-05-19 10:58 +1200
Re: OT: limit number of connections from browser to my server? Random832 <random832@fastmail.com> - 2016-05-22 15:04 -0400
Re: OT: limit number of connections from browser to my server? Grant Edwards <grant.b.edwards@gmail.com> - 2016-05-22 19:29 +0000
| From | Grant Edwards <grant.b.edwards@gmail.com> |
|---|---|
| Date | 2016-05-17 14:27 +0000 |
| Subject | Re: OT: limit number of connections from browser to my server? |
| Message-ID | <mailman.62.1463495707.19823.python-list@python.org> |
On 2016-05-17, jmp <jeanmichel@sequans.com> wrote:
> I don't have time to read the whole thread but if I got it right,
> the main CPU consuming part is the crypto.
Yep.
> Why not drop the https part an support only http ?
Product spec explicitly states HTTPS only. I'm told that is not open
for discussion. The customer is a large, somewhat bureaucratic German
corporation, and they generally mean it when they say something is
non-negotiable.
> Is is a device that needs to be accessed in untrusted networks?
> Sorry for asking the obvious :o)
--
Grant Edwards grant.b.edwards Yow! I'm EMOTIONAL
at now because I have
gmail.com MERCHANDISING CLOUT!!
[toc] | [next] | [standalone]
| From | Gregory Ewing <greg.ewing@canterbury.ac.nz> |
|---|---|
| Date | 2016-05-19 10:58 +1200 |
| Message-ID | <dq4adbFhac8U1@mid.individual.net> |
| In reply to | #108743 |
Grant Edwards wrote: > Product spec explicitly states HTTPS only. I'm told that is not open > for discussion. The customer is a large, somewhat bureaucratic German > corporation, and they generally mean it when they say something is > non-negotiable. They're probably being sensible. The way the Internet of Things is shaping up, it's far better to have too much security than too little. -- Greg
[toc] | [prev] | [next] | [standalone]
| From | Random832 <random832@fastmail.com> |
|---|---|
| Date | 2016-05-22 15:04 -0400 |
| Message-ID | <mailman.5.1463943862.20402.python-list@python.org> |
| In reply to | #108790 |
On Wed, May 18, 2016, at 18:58, Gregory Ewing wrote: > Grant Edwards wrote: > > Product spec explicitly states HTTPS only. I'm told that is not open > > for discussion. The customer is a large, somewhat bureaucratic German > > corporation, and they generally mean it when they say something is > > non-negotiable. > > They're probably being sensible. The way the Internet of > Things is shaping up, it's far better to have too much > security than too little. HTTPS provides little to no security on a device which has no domain name, since we don't have any well-established way to manage self-signed certificates, or certificates signed on a basis other than the domain name. It'd be nice if there were a way for IOT devices to have a certificate signed *by the manufacturer*. The entire SSL browser UI paradigm is predicated on the fact that what is verified by a certificate is the domain name, which must match the CN field of the certificate, and provides no way to present a certificate issued on another basis to the user.
[toc] | [prev] | [next] | [standalone]
| From | Grant Edwards <grant.b.edwards@gmail.com> |
|---|---|
| Date | 2016-05-22 19:29 +0000 |
| Message-ID | <mailman.6.1463945401.20402.python-list@python.org> |
| In reply to | #108790 |
On 2016-05-22, Random832 <random832@fastmail.com> wrote: > On Wed, May 18, 2016, at 18:58, Gregory Ewing wrote: >> Grant Edwards wrote: >>> Product spec explicitly states HTTPS only. I'm told that is not open >>> for discussion. The customer is a large, somewhat bureaucratic German >>> corporation, and they generally mean it when they say something is >>> non-negotiable. >> >> They're probably being sensible. The way the Internet of Things is >> shaping up, it's far better to have too much security than too >> little. > > HTTPS provides little to no security on a device which has no domain > name, since we don't have any well-established way to manage > self-signed certificates, or certificates signed on a basis other > than the domain name. It'd be nice if there were a way for IOT > devices to have a certificate signed *by the manufacturer*. The customer can install their own certificate on the server and configure their browsers to require that certificate. They can also configure the server to require that the browser authenticate itself with a specific certificate (which they would have to install on the browser). So, in theory, HTTPS _could_ provide a decent level of security for products like these. Whether anybody actually goes to the trouble to do that, I don't know. I doubt they do, since it requires more than one mouse click, and reading more than 140 characters of text. And, it requires that you understand how SSL certificates work, how to generate them, and in some cases how to set up an internal domain name and DNS server for devices on an air-gapped LAN. -- Grant
[toc] | [prev] | [standalone]
Back to top | Article view | comp.lang.python
csiph-web