Foundations of Python Network Programming 978-1-4302-3004-5
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
CHAPTER 6 ■ TLS AND SSL<br />
Second, write as little code as possible. Rely on well-written and thoroughly tested third-party code<br />
whenever you can, with a special emphasis on using tools that seem to be well tested and actively<br />
maintained. One reason for using common technologies over obscure tools that you think might be<br />
better is that the code with the larger community is more likely to have its weaknesses and<br />
vulnerabilities discovered and resolved. Keep everything upgraded and up-to-date when possible, from<br />
the operating system and your <strong>Python</strong> install to the particular distributions you are using <strong>of</strong>f <strong>of</strong> PyPI.<br />
And, <strong>of</strong> course, isolate your projects from each other by giving each <strong>of</strong> them its own virtual environment<br />
using the virtualenv command discussed in Chapter 1.<br />
Third, the fact that you are reading this book indicates that you have probably already adopted one<br />
<strong>of</strong> my most important recommendations: to use a high-level language like <strong>Python</strong> for application<br />
development. Whole classes <strong>of</strong> security problems disappear when your code can talk directly about<br />
dictionaries, Unicode strings, and iteration over complex data structures, instead <strong>of</strong> having to<br />
manipulate raw integers every time it wants to visit every item in a list. Repetition and verbosity not only<br />
waste your time and cut your productivity, but also directly increase your chance <strong>of</strong> making a mistake.<br />
Fourth, as you strive for elegant and simple solutions, try to learn as much as possible about the<br />
problem domain if many people have tackled it before you. Read about cross-scripting attacks (see<br />
Chapter 9) if you are writing a web site; about SQL injection attacks if your application talks to a<br />
database; about the sordid history <strong>of</strong> privilege escalation attacks if your system will support users who<br />
have different permission levels; and about viruses and Trojan horses if you are writing an e-mail client.<br />
Fifth and finally, since you will probably lack the time (not to mention the omniscience) to build<br />
your entire application out <strong>of</strong> perfect code, try to focus on the edges <strong>of</strong> your code where it interacts with<br />
data from the outside. Several minutes spent writing code to examine a web form variable, checking it<br />
every which way to make sure it really and truly looks like, say, a string <strong>of</strong> digits, can be worth hours <strong>of</strong><br />
precaution further inside the program that will be necessary if the bad value can make it all the way to<br />
the database and have to be dealt with there.<br />
It was a great day, to take a concrete example, when C programmers stopped thinking that their<br />
servers had to always run as root—which had risked the compromise <strong>of</strong> the entire machine if something<br />
were to go wrong—and instead wrote network daemons that would start up, grab the low-numbered<br />
port on which their service lived, and then immediately drop their privileges to those <strong>of</strong> a normal user.<br />
They almost seemed to consider it a contest to see how few lines <strong>of</strong> code they could leave in the part <strong>of</strong><br />
their program that ran with root privileges. And this brought about a vast reduction in exposure. Your<br />
<strong>Python</strong> code is the same way: fewer lines <strong>of</strong> code that run before you have verified the sanity <strong>of</strong> an input<br />
value, or tested for a subtle error, mean that less <strong>of</strong> the surface area <strong>of</strong> your program can harbor bugs<br />
that enemies could exploit.<br />
But, again, the subject is a large one. Read blogs like “Schneier on Security,” watch vendor security<br />
announcements like those on the Google Online Security Blog, and consult good books on the subject if<br />
you are going to be writing lots <strong>of</strong> security-sensitive code.<br />
You should at least read lots <strong>of</strong> war stories about how intrusions have occurred, whether from<br />
security alerts or on popular blogs; then you will know ahead <strong>of</strong> time to forearm your code against the<br />
same kinds <strong>of</strong> disasters. Plus, such accounts are also quite entertaining if you like to learn the details <strong>of</strong><br />
how systems work—and to learn about the unending cleverness <strong>of</strong> those who want to subvert them.<br />
IP Access Rules<br />
During the 1980s, the Internet grew from a small research network to a large enough community that it<br />
was unwise to trust everyone who happened to have access to an IP address. Prudence began to dictate<br />
that many services on each host either be turned <strong>of</strong>f, or restricted so that only hosts in a pre-approved<br />
list were allowed to connect. But each piece <strong>of</strong> s<strong>of</strong>tware had its own rules for how you specified the hosts<br />
that should be allowed to connect and the hosts whose connections should be rejected.<br />
In 1990, Wietse Venema introduced the TCP Wrappers, and suggested that all Internet server<br />
programs could use this single piece <strong>of</strong> code to make access decisions. The idea was that rather than<br />
requiring every piece <strong>of</strong> s<strong>of</strong>tware to have a separate configuration file, which made it impossible for<br />
88