[Security] client-to-client security :: Summary and todo's

Dirk Meyer dmeyer at tzi.de
Sun Aug 24 03:41:09 CDT 2008

Pavel Simerda wrote:
> Maybe I did. I apologise. But you're not making it easy to understand.
> "Automatic access to something without password is a very bad idea."
> Where "access to something" = "configure router".
> I agree that using an unauthenticated service for router configuration
> is a bad idea.
> But I never said it should be used for configuration.

I guess I have to apologise, too for some bad choice of words.

> If there are no good implementation of UPnP, don't blame UPnP but the
> impelmentations. If it's not possible to make a good implementation (in
> the sense I describe), let's just say what's wrong and drop it. And
> possibly pick a protocol that does the right thing and that is likely
> to be adopted.


No, I mean it. IMHO UPnP has several design flaws, one is that it can
not be used outside the LAN (and it should not due to the lack of the
security). I plan to add support of something similar to the UPnP
AVRenderer in Freevo as starting point. That is why I write about bors
so much in this threads. Each UPnP device could be an XMPP bot.

> Just in case... a common argument on the web is that a trojan horse
> could set up unwanted port forwarding. That would allow unwanted
> connections. But this is not a new issue as the trojan can start
> unwanted connections itself anyway! 

Agreed, including using a TURN server.


VI VI VI    The editor of the beast.

More information about the Security mailing list