[Security] client-to-client security :: Summary and todo's

Pedro Melo melo at simplicidade.org
Sun Aug 24 03:00:43 CDT 2008


On Aug 23, 2008, at 5:21 PM, Dirk Meyer wrote:
> UPnP is a working choice, but bad. Just google for it. Since it is
> based on HTTP attackers found a way to open ports on your
> router.

Having a open TCP port is not necessarily a security risk. It only  
becomes a security risk if the server that listens to that port has  
security problems.

Don't blame open TCP ports with mistakes of server programmers.

> Besides that, I do not like the idea that every app can open
> ports.

Well, how are they supposed to accept connections? And please don't  
mention rfc2549 :).

Really, I think you should get used to it. With IPv6 (and yes, I'm a  
believer :) ) you will (or at least I hope you will) lose that NAT  
security barrier that we all grown so fond of, and the responsibility  
of server software implementations will be much much greater.  
Personally, I think we will get user-level firewall APIs: you  
negotiate a Jingle session with your peer and then open the necessary  
ports with a source filter.

but getting back to our topic: you get to authenticate and check  
certificates on that open TCP connections. If you don't trust that,  
our protocol is flawed.

best regards,
Pedro Melo
Blog: http://www.simplicidade.org/notes/
XMPP ID: melo at simplicidade.org

More information about the Security mailing list