[Security] client-to-client security :: Summary and todo's
dmeyer at tzi.de
Sun Aug 24 03:41:09 CDT 2008
Pavel Simerda wrote:
> Maybe I did. I apologise. But you're not making it easy to understand.
> "Automatic access to something without password is a very bad idea."
> Where "access to something" = "configure router".
> I agree that using an unauthenticated service for router configuration
> is a bad idea.
> But I never said it should be used for configuration.
I guess I have to apologise, too for some bad choice of words.
> If there are no good implementation of UPnP, don't blame UPnP but the
> impelmentations. If it's not possible to make a good implementation (in
> the sense I describe), let's just say what's wrong and drop it. And
> possibly pick a protocol that does the right thing and that is likely
> to be adopted.
No, I mean it. IMHO UPnP has several design flaws, one is that it can
not be used outside the LAN (and it should not due to the lack of the
security). I plan to add support of something similar to the UPnP
AVRenderer in Freevo as starting point. That is why I write about bors
so much in this threads. Each UPnP device could be an XMPP bot.
> Just in case... a common argument on the web is that a trojan horse
> could set up unwanted port forwarding. That would allow unwanted
> connections. But this is not a new issue as the trojan can start
> unwanted connections itself anyway!
Agreed, including using a TURN server.
VI VI VI The editor of the beast.
More information about the Security