Send password over TCP connection

Paul Rubin http
Thu Oct 13 19:05:25 EDT 2005 

"dcrespo" <dcrespo at gmail.com> writes:
> Important data like diplomatic traffic. Must be accessible from all
> Clients inmediatly a client publish his data.  Its an online system.

OK, if it's actual diplomatic traffic you need to work with your
government about criteria.  If you're in the US, you'd get help from
the NSA.  This sounds more like business data.  It's pretty normal to
rely on your VPN.  That will probably be more secure than some
home-cooked protocol.  If it's highly sensitive then you should use
secure terminals (not PC's), hardware crypto tokens at the endpoints,
and so forth.  Please do read Ross Anderson's book, it sounds like you
really might need it.

Can I ask what country you are in?  Also, how is the data supposed to
get handled at the endpoints?  Is it something like text messages that
get displayed on a screen for someone to read?  Or something like
database updates?  Something like a cash dispenser network where the
leaf clients only make online queries (and maybe dispense cash) but
don't really store much data?

There are a lot of industry standards for different applications like
this.  You should follow one if you possibly can, even if you think
your own method is better.  There are two problems you have to
consider.  The first is how to make the system secure.  For that, you
should assume at this point that the people who designed the standards
knew what they were doing.  The second is what you'll tell the jury if
something goes wrong despite your best efforts.  For that, the best
thing you can tell them is "I followed the standard written by the
industry experts that represents the best knowledge in the field", and
almost the worst thing is "I thought I was smarter than the experts so
I used my own home-cooked method".  So in both areas, following
standards is the best policy.

> > Why do you want to do that?  All of them get compromised if the
> > one password is compromised.
> 
> How is it that all of them get compromised?

It sounded like you're using the same password on all the clients.
If not, then that helps.

> > so why do you need this password stuff at all?
> I don't want to permit anyone to run RPC functions. It's my desire.

I don't understand how the password stuff is related to RPC.  You
shouldn't have RPC ports open on the server.

More information about the Python-list mailing list