OT: limit number of connections from browser to my server?
Grant Edwards
grant.b.edwards at gmail.com
Sun May 22 15:29:46 EDT 2016
On 2016-05-22, Random832 <random832 at fastmail.com> wrote:
> On Wed, May 18, 2016, at 18:58, Gregory Ewing wrote:
>> Grant Edwards wrote:
>>> Product spec explicitly states HTTPS only. I'm told that is not open
>>> for discussion. The customer is a large, somewhat bureaucratic German
>>> corporation, and they generally mean it when they say something is
>>> non-negotiable.
>>
>> They're probably being sensible. The way the Internet of Things is
>> shaping up, it's far better to have too much security than too
>> little.
>
> HTTPS provides little to no security on a device which has no domain
> name, since we don't have any well-established way to manage
> self-signed certificates, or certificates signed on a basis other
> than the domain name. It'd be nice if there were a way for IOT
> devices to have a certificate signed *by the manufacturer*.
The customer can install their own certificate on the server and
configure their browsers to require that certificate. They can also
configure the server to require that the browser authenticate itself
with a specific certificate (which they would have to install on the
browser).
So, in theory, HTTPS _could_ provide a decent level of security for
products like these.
Whether anybody actually goes to the trouble to do that, I don't know.
I doubt they do, since it requires more than one mouse click, and
reading more than 140 characters of text.
And, it requires that you understand how SSL certificates work, how to
generate them, and in some cases how to set up an internal domain name
and DNS server for devices on an air-gapped LAN.
--
Grant
More information about the Python-list
mailing list