Skip to content

Make secure communication default #46

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 24, 2020
Merged

Make secure communication default #46

merged 1 commit into from
May 24, 2020

Conversation

chrisjbillington
Copy link
Member

Create a shared secret at profile creation time and add it to
labconfig. Raise an error if such an entry is not present, unless
allow_insecure is set instead.

@rpanderson
Copy link
Member

In light of zeromq/pyzmq#1148, should we advise Windows users not using an Anaconda Python distribution to set allow_insecure = True in their labconfig until the speed issue is resolved?

@chrisjbillington
Copy link
Member Author

This will prevent BIAS from talking to zlock at Monash, unless they set allow_insecure = True.

Since zlock talks raw strings that it doesn't do much with (a denial of service attack on being politely asked not to open HDF5 files, anyone?) it is not as important to secure as Python programs unpickling arbitrary data sent to them, so I'm going to look into zlock being able to talk to both encrypted and unencrypted clients. Last time I looked into I couldn't figure it out but I'll give it another shot.

Otherwise I can:

a) write a proxy script that encrypts/decrypts on behalf of a client that doesn't know how to talk crypto, that would work like:
python -m zprocess.cryptoproxy <port to listen on> <server to forward to>:<port> <shared_secret_file>

b) add an option specifically to disable encryption for zlock

@chrisjbillington
Copy link
Member Author

In light of zeromq/pyzmq#1148, should we advise Windows users not using an Anaconda Python distribution to set allow_insecure = True in their labconfig until the speed issue is resolved?

Yes, I think so. Though I'm going to have a stab at fixing that bug.

It'll really slow down image data being sent back to tabs from camera workers, and big dataframes being sent to lyse analysis subprocesses - most communication of all the small stuff we send around will still be fast..

@chrisjbillington
Copy link
Member Author

Though I'm going to have a stab at fixing that bug.

Their setup.py is 1366 lines long 😨

@chrisjbillington
Copy link
Member Author

Windows users not using an Anaconda Python distribution to set allow_insecure = True in their labconfig until the speed issue is resolved?

Actually I think we should advise windows users not on a trusted network to use conda until it's resolved.

@chrisjbillington
Make secure communication default.
76633d8 
Create a shared secret at profile creation time and add it to
labconfig. Raise an error if such an entry is not present, unless
allow_insecure is set instead.
@chrisjbillington chrisjbillington merged commit 6bb2067 into labscript-suite:master May 24, 2020
@chrisjbillington chrisjbillington deleted the security-default-on branch May 24, 2020 17:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@chrisjbillington @rpanderson