> On Mar 22, 2016, at 1:24 PM, Jacob Kaplan-Moss <ja...@jacobian.org> wrote: > > I do think encrypting the Redis channel layer is something we should offer: > Redis out of the box doesn't do transport-layer encryption, which is going to > make Channels a hard sell to anyone with any for of regulatory/compliance > requirements. [1]
I don’t know a whole lot about the design of channels, so ymmv but I tend to be a bit nervous on trying to implement a “mini” replacement to something like TLS because it’s fairly tricky to get right. Even using something like fernet, you still have things like replay attacks and such that may be possible (unless channels design prevents it) that TLS already has baked in protection for. It is true that reds doesn’t do TLS out of the box, but adding it is not really *that* hard, you typically just bind redis to a localhost only port (which I think it does by default) and then install stunnel bound to a public port to “unwrap” the TLS before passing it on to redis. On the client side you may need to also run stunnel to “wrap” the stream with TLS if your client does not support it, but redis-py supports TLS’d connections natively so, at least from Python, it’s not any harder to connect to a TLS’d Redis server. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/1706B9DC-7479-43CD-897B-330F1E9C2F43%40stufft.io. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: Message signed with OpenPGP using GPGMail