Securing PyDoc and CGIHTTPserver
Jon Schull
schull at digitalgoods.com
Mon Jul 14 15:03:47 EDT 2003
Well, for what its worth, I was thinking about "sniffing, spoofing, or
main-in-the-middle attacks", and I was hoping for something I could
stick into a program for unsophisticated users (e.g, those to whom one
might give a notepad-like application, albeit with a local webserver
interface).
Everyone who connects to the internet should have a firewall BUT must
all who import httpserver implement or insist on a firewall for all
their users? Realistically? I don't want to think so.
> Uh, yeah.... but the OP wasn't asking about sniffing, spoofing, or
> main-in-the-middle attacks, near as I can tell, nor about using
> encryption. He was suggesting an unusual modification to one or
> more applications which would otherwise be decoupled from security,
> by adding into them features which are better handled by firewalls.
>
> "Security through Obscurity" (e.g., random ports) is not the way to
> go. Instead, use SSL. This can be done through a CGI on Apache
> through an SSL'd port, or it can be done with stunnel. [Or it might
> even be done with raw python using pyOpenSSL or M2Crypto (which I
> haven't done, so I can't tell you anything that direction).]
More information about the Python-list
mailing list