On Feb 8, 12:33 pm, Michael Merickel <[email protected]> wrote: > Encryption is all well and good but I'm not sure I'll trust encryption in a > library called "insecure_but_secure_enough". :-P
i think its best to be upfront with the shortcomings of technology in general! if you spin up a few AWS instances, you can beat most small encryptions. > Signed cookies are trivial to create within pyramid using signed_serialize > and signed_deserialize. I originally used that , and then looked at some other libraries that offered signed and encrypted cookies because I didn't like signed cookies for autologin. my problems were: - signed only assets that, within a reasonable amount of probability, the payload originated on your server - signed gives the user the serialized payload ( unless you use a callback/function to encrypt/decrypt ). i don't necessarily want the consumer to know what is in the payload. - there was a lack of mechanism for rotating the signing factory. ie, have a table of keys that constantly change. to deter exploitation attempts, most large scale web services / API providers have a fairly quick expiry on how long the singing can last and they rotate keys quickly. so i pieced together a bunch of code from Pyramid's signed_serialize, Facebook's API pattern, and a few other python libraries to make something a bit more general-purpose and more-secure. -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/pylons-discuss?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
