On 02:51 pm, tobias.oberst...@tavendo.de wrote:
.. , since I like compression but I also send credentials over TLS :)
IMHO, credentials should never be sent over the wire (be it encrypted
or not) and never be stored in plaintext.
FWIW, Autobahn provides a challenge-response authentication scheme
("WAMP_CRA") that also allows for salted/hashed passwords
(pbkdf2-based) for WebSocket/WAMP.
With TLS, and in a Post-Snowden era, how do you know your TLS server
isn't impersonated and encryption broken?
Personally, I assume root CA private keys of any CA vendor are owned by
the NSA anyway.
There's no rule that says you have to use a "root CA" signed certificate
for your TLS connections.
Jean-Paul
Really, TLS is broken.
We need a new scheme. For encryption session keys, Diffie-Hellman is
available, and provides perfect forward secrecy naturally.
For authentication, we need a peer-based system like PGP has, not
relying on centrally managed trust.
I know. Not going to happen any time soon ..
/Tobias
_______________________________________________
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
