[Security] client-to-client security :: Summary and todo's

Pavel Simerda pavlix at pavlix.net
Sat Aug 23 16:47:16 CDT 2008


On Sat, 23 Aug 2008 20:37:58 +0200
Dirk Meyer <dmeyer at tzi.de> wrote:

> Dirk Meyer wrote:
> > Pavel Simerda wrote:
> >> On Sat, 23 Aug 2008 18:21:38 +0200
> >> Dirk Meyer <dmeyer at tzi.de> wrote:
> >>> UPnP is a working choice, but bad. Just google for it.
> >>
> >> I know what UPnP is.
> >
> > I mean: google why it is a bad choice :) See below
> 
> This is a good doc:
> http://www.gnucitizen.org/blog/hacking-the-interwebs/
> 
> Automatic access to something without password is a very bad
> idea. That is why I want certificates for all my bots. I would have no
> problem with a bot on my router opening ports for other bots that have
> a valid certificate.

There is a difference between a password and a key.

There is a difference between a symmetric croptography key and a pair
of public/private keys for asymmetric cryptosystems.

There is a lot of places where automatic access (read or even write)
without a password (or key) is appropriate.

These general statements about security are usually false (there is
almost always a bunch of cases where it doesn't do any good).

Pavel

> 
> Dirk
> 


-- 

Web: http://www.pavlix.net/
Jabber & Mail: pavlix(at)pavlix.net
OpenID: pavlix.net


More information about the Security mailing list