[Security] client-to-client security :: Summary and todo's

Dirk Meyer dmeyer at tzi.de
Sun Aug 24 03:50:03 CDT 2008


Pedro Melo wrote:
> Hi,
>
> On Aug 23, 2008, at 5:21 PM, Dirk Meyer wrote:
>> UPnP is a working choice, but bad. Just google for it. Since it is
>> based on HTTP attackers found a way to open ports on your
>> router.
>
> Having a open TCP port is not necessarily a security risk. It only
> becomes a security risk if the server that listens to that port has
> security problems.
>
> Don't blame open TCP ports with mistakes of server programmers.

The point is that app x can forward ports to app y. In my normal use
this is no problem and I'm fine with it. I only have ssh open. But my
parents use Windows and it has a lot of ports open with security
bugs. I can not blame TCP for it, but I am very happy that a bug in
Flash or something else can not open a forward on the router. So I
like the fact that a NAT is some sort of firewall for my parents.

>> Besides that, I do not like the idea that every app can open
>> ports.
>
> Well, how are they supposed to accept connections? And please don't
> mention rfc2549 :).

What is wrong with that? I live in the city, we have enough pidgins :)

You are right, I would love to see it working that an app can open a
port for services. No NAT problem. That would be very userfriendly.
But to trust such thing for my parents I need to a way to make windows
secure. I guess that is my main problem.

> Really, I think you should get used to it. With IPv6 (and yes, I'm a
> believer :) ) you will (or at least I hope you will) lose that NAT
> security barrier that we all grown so fond of, and the responsibility
> of server software implementations will be much much greater.

I'm also a believer. I have a /64 network at home with public
addresses. Very nice to have. But back to my parents: if they get IPv6
I would install a firewall on the router to block most incoming
connections.

> Personally, I think we will get user-level firewall APIs: you
> negotiate a Jingle session with your peer and then open the necessary
> ports with a source filter.

Maybe use NAT-PMP and not UPnP. It only covers the forwarding and
already works on some router. UPnP IGD may be supported by more router
but IMHO NAT-PMP is the future.

http://files.dns-sd.org/draft-cheshire-nat-pmp.txt

> but getting back to our topic: you get to authenticate and check
> certificates on that open TCP connections. If you don't trust that,
> our protocol is flawed.

Agreed.


Dirk

-- 
The truth may be out there, but lies are inside your head.
        -- (Terry Pratchett, Hogfather)


More information about the Security mailing list