[Security] client-to-client security :: Summary and todo's
Pedro Melo
melo at simplicidade.org
Sun Aug 24 03:00:43 CDT 2008
Hi,
On Aug 23, 2008, at 5:21 PM, Dirk Meyer wrote:
> UPnP is a working choice, but bad. Just google for it. Since it is
> based on HTTP attackers found a way to open ports on your
> router.
Having a open TCP port is not necessarily a security risk. It only
becomes a security risk if the server that listens to that port has
security problems.
Don't blame open TCP ports with mistakes of server programmers.
> Besides that, I do not like the idea that every app can open
> ports.
Well, how are they supposed to accept connections? And please don't
mention rfc2549 :).
Really, I think you should get used to it. With IPv6 (and yes, I'm a
believer :) ) you will (or at least I hope you will) lose that NAT
security barrier that we all grown so fond of, and the responsibility
of server software implementations will be much much greater.
Personally, I think we will get user-level firewall APIs: you
negotiate a Jingle session with your peer and then open the necessary
ports with a source filter.
but getting back to our topic: you get to authenticate and check
certificates on that open TCP connections. If you don't trust that,
our protocol is flawed.
best regards,
--
Pedro Melo
Blog: http://www.simplicidade.org/notes/
XMPP ID: melo at simplicidade.org
Use XMPP!
More information about the Security
mailing list