Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > comp.lang.python > #108743 > unrolled thread

Re: OT: limit number of connections from browser to my server?

Started byGrant Edwards <grant.b.edwards@gmail.com>
First post2016-05-17 14:27 +0000
Last post2016-05-22 19:29 +0000
Articles 4 — 3 participants

Back to article view | Back to comp.lang.python

This discussion starts older than the indexed window; earlier articles aren't shown. The article labeled Started by below is the oldest one visible, not the original post.


Contents

  Re: OT: limit number of connections from browser to my server? Grant Edwards <grant.b.edwards@gmail.com> - 2016-05-17 14:27 +0000
    Re: OT: limit number of connections from browser to my server? Gregory Ewing <greg.ewing@canterbury.ac.nz> - 2016-05-19 10:58 +1200
      Re: OT: limit number of connections from browser to my server? Random832 <random832@fastmail.com> - 2016-05-22 15:04 -0400
      Re: OT: limit number of connections from browser to my server? Grant Edwards <grant.b.edwards@gmail.com> - 2016-05-22 19:29 +0000

#108743 — Re: OT: limit number of connections from browser to my server?

FromGrant Edwards <grant.b.edwards@gmail.com>
Date2016-05-17 14:27 +0000
SubjectRe: OT: limit number of connections from browser to my server?
Message-ID<mailman.62.1463495707.19823.python-list@python.org>
On 2016-05-17, jmp <jeanmichel@sequans.com> wrote:

> I don't have time to read the whole thread but if I got it right,
> the main CPU consuming part is the crypto.

Yep.

> Why not drop the https part an support only http ?

Product spec explicitly states HTTPS only.  I'm told that is not open
for discussion.  The customer is a large, somewhat bureaucratic German
corporation, and they generally mean it when they say something is
non-negotiable.

> Is is a device that needs to be accessed in untrusted networks?
> Sorry for asking the obvious :o)

-- 
Grant Edwards               grant.b.edwards        Yow! I'm EMOTIONAL
                                  at               now because I have
                              gmail.com            MERCHANDISING CLOUT!!

[toc] | [next] | [standalone]


#108790

FromGregory Ewing <greg.ewing@canterbury.ac.nz>
Date2016-05-19 10:58 +1200
Message-ID<dq4adbFhac8U1@mid.individual.net>
In reply to#108743
Grant Edwards wrote:
> Product spec explicitly states HTTPS only.  I'm told that is not open
> for discussion.  The customer is a large, somewhat bureaucratic German
> corporation, and they generally mean it when they say something is
> non-negotiable.

They're probably being sensible. The way the Internet of
Things is shaping up, it's far better to have too much
security than too little.

-- 
Greg

[toc] | [prev] | [next] | [standalone]


#108958

FromRandom832 <random832@fastmail.com>
Date2016-05-22 15:04 -0400
Message-ID<mailman.5.1463943862.20402.python-list@python.org>
In reply to#108790
On Wed, May 18, 2016, at 18:58, Gregory Ewing wrote:
> Grant Edwards wrote:
> > Product spec explicitly states HTTPS only.  I'm told that is not open
> > for discussion.  The customer is a large, somewhat bureaucratic German
> > corporation, and they generally mean it when they say something is
> > non-negotiable.
> 
> They're probably being sensible. The way the Internet of
> Things is shaping up, it's far better to have too much
> security than too little.

HTTPS provides little to no security on a device which has no domain
name, since we don't have any well-established way to manage self-signed
certificates, or certificates signed on a basis other than the domain
name. It'd be nice if there were a way for IOT devices to have a
certificate signed *by the manufacturer*.

The entire SSL browser UI paradigm is predicated on the fact that what
is verified by a certificate is the domain name, which must match the CN
field of the certificate, and provides no way to present a certificate
issued on another basis to the user.

[toc] | [prev] | [next] | [standalone]


#108959

FromGrant Edwards <grant.b.edwards@gmail.com>
Date2016-05-22 19:29 +0000
Message-ID<mailman.6.1463945401.20402.python-list@python.org>
In reply to#108790
On 2016-05-22, Random832 <random832@fastmail.com> wrote:
> On Wed, May 18, 2016, at 18:58, Gregory Ewing wrote:
>> Grant Edwards wrote:
>>> Product spec explicitly states HTTPS only.  I'm told that is not open
>>> for discussion.  The customer is a large, somewhat bureaucratic German
>>> corporation, and they generally mean it when they say something is
>>> non-negotiable.
>> 
>> They're probably being sensible. The way the Internet of Things is
>> shaping up, it's far better to have too much security than too
>> little.
>
> HTTPS provides little to no security on a device which has no domain
> name, since we don't have any well-established way to manage
> self-signed certificates, or certificates signed on a basis other
> than the domain name. It'd be nice if there were a way for IOT
> devices to have a certificate signed *by the manufacturer*.

The customer can install their own certificate on the server and
configure their browsers to require that certificate.  They can also
configure the server to require that the browser authenticate itself
with a specific certificate (which they would have to install on the
browser).

So, in theory, HTTPS _could_ provide a decent level of security for
products like these.

Whether anybody actually goes to the trouble to do that, I don't know.

I doubt they do, since it requires more than one mouse click, and
reading more than 140 characters of text.

And, it requires that you understand how SSL certificates work, how to
generate them, and in some cases how to set up an internal domain name
and DNS server for devices on an air-gapped LAN.

--
Grant



[toc] | [prev] | [standalone]


Back to top | Article view | comp.lang.python


csiph-web