Python - remote object protocols and security

Jean-Michel Pichavant jeanmichel at sequans.com
Mon Jul 15 14:26:27 CEST 2013


----- Original Message -----

> > I don't mind encrypting data, if someone wants to sniff what I'm
> > sending, he's welcome.
> >
> 
> I don't think the word you need there is "mind," but I get the idea.

You're right, I wanted to state actually the opposite, I don't want to encrypt data because I don't care if someone sniffs it.
It's pretty meaningless and doesn't include credentials.

Basically, I need to transfer numbers (int). Possibly dictionaries like {string: int} in order to structure things a little bit.
I don't think I need a credential system neither, cause if someone is sending me crap with the wrong identity it will only mess my statistics, this is pretty harmless. 

> Even if you have a friendly user sending data, you still need to
> guard
> against code injection because their system may have been
> compromised.

That is definitively something I'm trying to avoid.

> Make sure your deserializing logic (on your own machine) is entirely
> under your control, and impervious to such attacks.  In general, the
> more types that can be encoded, the more likely it's vulnerable.  So
> authors of such libraries have two conflicting goals.

If I understand correctly any available remote protocols are pretty much of the chart.
Since I'm planning to send only int and strings I think I'll follow your advice of serializing/deserializing myself.

> DaveA

thanks,

Jean-Michel


-- IMPORTANT NOTICE: 

The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.


More information about the Python-list mailing list