[Security] client-to-client security :: Summary and todo's

Dirk Meyer dmeyer at tzi.de
Sat Aug 23 16:59:41 CDT 2008


Pavel Simerda wrote:
> On Sat, 23 Aug 2008 20:37:58 +0200
> Dirk Meyer <dmeyer at tzi.de> wrote:
>
>> Dirk Meyer wrote:
>> > Pavel Simerda wrote:
>> >> On Sat, 23 Aug 2008 18:21:38 +0200
>> >> Dirk Meyer <dmeyer at tzi.de> wrote:
>> >>> UPnP is a working choice, but bad. Just google for it.
>> >>
>> >> I know what UPnP is.
>> >
>> > I mean: google why it is a bad choice :) See below
>> 
>> This is a good doc:
>> http://www.gnucitizen.org/blog/hacking-the-interwebs/
>> 
>> Automatic access to something without password is a very bad
>> idea. That is why I want certificates for all my bots. I would have no
>> problem with a bot on my router opening ports for other bots that have
>> a valid certificate.
>
> There is a difference between a password and a key.

Sure. I want my bots to have a certificate, but using a key is as good
as that for me. But IMHO there should be something. UPnP has no
security; no keys, no certificates.

> There is a difference between a symmetric croptography key and a
> pair of public/private keys for asymmetric cryptosystems.

I know that.

> There is a lot of places where automatic access (read or even write)
> without a password (or key) is appropriate.

Yes, but not when it is about changing the dns server of the router.

> These general statements about security are usually false (there is
> almost always a bunch of cases where it doesn't do any good).

What general statements? Maybe you missunderstood what I wanted to
say: I wanted to say that I do not like the fact that UPnP has no
security and that everything in my LAN can configure my router because
of it. I wanted to have certificates for my bots doing that.


Dirk

-- 
When someone says, 'do you want my opinion?' - have you noticed that
it's always a negative one.


More information about the Security mailing list