[Security] client-to-client security :: Summary and todo's

Pavel Simerda pavlix at pavlix.net
Sun Aug 24 04:10:27 CDT 2008


On Sun, 24 Aug 2008 10:41:09 +0200
Dirk Meyer <dmeyer at tzi.de> wrote:

> Pavel Simerda wrote:
> > Maybe I did. I apologise. But you're not making it easy to
> > understand.
> >
> > "Automatic access to something without password is a very bad idea."
> >
> > Where "access to something" = "configure router".
> >
> > I agree that using an unauthenticated service for router
> > configuration is a bad idea.
> >
> > But I never said it should be used for configuration.
> 
> I guess I have to apologise, too for some bad choice of words.

Me too, but there's always enough time to clarify on the ML :).

> > If there are no good implementation of UPnP, don't blame UPnP but
> > the impelmentations. If it's not possible to make a good
> > implementation (in the sense I describe), let's just say what's
> > wrong and drop it. And possibly pick a protocol that does the right
> > thing and that is likely to be adopted.
> 
> XMPP ;)

It is not and won't be in any near future a widely implemented protocol
for portforward requests, or will be?

> No, I mean it. IMHO UPnP has several design flaws, one is that it can
> not be used outside the LAN (and it should not due to the lack of the
> security). I plan to add support of something similar to the UPnP
> AVRenderer in Freevo as starting point. That is why I write about bors
> so much in this threads. Each UPnP device could be an XMPP bot.

I am interested but I believe we're slowly driving offtopic from
XMPP security stuff. Feel free to contact me directly if you want.

And the relevant direct connection issues could be moved to the
"jingle" mailing lists.

> > Just in case... a common argument on the web is that a trojan horse
> > could set up unwanted port forwarding. That would allow unwanted
> > connections. But this is not a new issue as the trojan can start
> > unwanted connections itself anyway! 
> 
> Agreed, including using a TURN server.
> 

Yep.

> 
> Dirk
> 


-- 

Web: http://www.pavlix.net/
Jabber & Mail: pavlix(at)pavlix.net
OpenID: pavlix.net


More information about the Security mailing list