Re: [Twisted-Python] Is AMP secure enough for the internet?

On Mon, 2010-03-01 at 02:33 +0200, Tristan Seligmann wrote:

On Sat, Feb 27, 2010 at 11:59 PM, Attila Nagy wrote:

...

What would I like to do: 1. authenticate and authorize connecting clients with their SSL certificates 2. securely transfer arbitrary (binary and json) data from and to the clients (both the server and client would be twisted)

If you're using SSL, then points 1 and 2 are the responsibility of SSL, not AMP, and you should be fine.

...

3. protect the server from malicious clients

I can't really comment on this, as I haven't studied the AMP implementation much; I think there are some built-in limits which will protect against certain kinds of resource DoS, but hopefully somebody else can comment in more detail.

AMP "keys" are limited to 256 bytes and "values" are limited to 64k. So that will prevent your program from handling a malformed AMP packet that tries to exceed those limits.... If the AMP parser detects a parsing problem it will drop the connection. One of the things you will need to implement yourself is preventing an otherwise legit client from flooding your server with legitimate requests... this is application-specific, and Twisted can't implement a generalized protection mechanize here. There should not be any way for a client to "access" any parts of your program apart from your pre-defined AMP command-handlers, and anything else for which you "give" access. Everything in AMP is length-prefixed, so this precludes any "quote-escaping" type vulnerabilities. There shouldn't be any issues with any of the built-in data types that AMP knows how to handle... if the data doesn't fall within acceptable parameters Python will thrown an Exception, and I *imagine* that also results in a connection tear-down, but it's been a while since I've studied the code in depth. Good luck, and let us know when you're AMP-DOSing test-suite is available ;) -teratorn