On Mon, Mar 21, 2016 at 12:11 PM, Sean Brant <brant.s...@gmail.com> wrote:
> How does the new channels model handle requests with sensitive > information? Say you have a login view and the user is submitting a > username/password. Does the password get serialized into the message queue > as plain text? If so is that a security concern users should be aware of? > > With the default backend (redis), yes, it goes over the wire and into Redis as plain text - the overhead of both on-the-wire and at-rest encryption would be reasonably high, so I didn't include it by default; however, I very much hope we'll get at least one channel layer implementation that does do this. For Redis, at least, you can run a TLS tunnel between machines and point Channels at the local end of the tunnel to get transport security (as it has none of its own). At-rest is a bit harder - I plan to just turn my redis nodes into memory-only mode so that the data is never persisted, at least (channels doesn't need persistance beyond about a minute), but I can imagine a channel layer where you pass a symmetric encryption key in its configuration or similar. Andrew -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAFwN1upA2gAvRru8Gfn1DkEx8Bfy_j4ZPKeKkBZQH5aMEaH92w%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
