Irmen de Jong <[EMAIL PROTECTED]> writes: > > Well, ok, if you trust then other end then I think it's enough to just > > authenticate all the pickles (say using hmac.py) without needing > > something as heavyweight as SSL. > > An interesting idea that hadn't crossed my mind yet. Pyro *does* > already have connection authentication that uses md5 (and hmac since > 3.5beta) with a shared secret, but after that, the communication is > done in plaintext so to speak.
Yes, that's what I meant, using hmac to authenticate using a shared secret, sending the rest in the clear. Note you should also put sequence numbers in the messages, to stop the attacker from fooling you by selectively deleting or replaying messages. > > You should not want to expose a Pyro service to the internet because > Python doesn't have Java's security model and sandboxing, that are > used with RMI. Pyro has a few features that are very powerful > but also require the use of intrinsic insecure Python code (namely, > pickle, and marshal). Can you say some more about this? Does RMI really rely on sandboxes, if you don't send code around, but just expose operations on server side objects? I don't think marshal is inherently insecure, since the unmarshaller doesn't itself execute any marshalled code. It apparently has some bugs that can confuse it if you send it a malformed marshalled string, but those can be fixed. Pickle is inherently insecure because of how it calls class constructors. > Just look at the recent security advisory about the XMLRPC server > that comes with Python.... it's much more primitive than Pyro is, > but even that one was insecure. I haven't looked at that bug carefully yet but yes, anything exposed to the internet has to be done very carefully, and XMLRPC missed something. > I wouldn't put a Java RMI server or xyz CORBA server or whatever > kind of unrestricted API open on the internet anyway. > Am I rational or paranoid? I haven't used Java enough to advise you on this, but I thought they were supposed to be ok to expose to the internet. Certainly the whole idea of .NET is to let you securely provide RPC services (excuse me for a moment while I try to stop laughing for mentioning security and Microsoft in the same sentence). And lots of people use things like SOAP for that. -- http://mail.python.org/mailman/listinfo/python-list