[Security] client-to-client security :: Summary and todo's
pavlix at pavlix.net
Sun Aug 24 04:20:30 CDT 2008
On Sun, 24 Aug 2008 10:50:03 +0200
Dirk Meyer <dmeyer at tzi.de> wrote:
> Pedro Melo wrote:
> > Hi,
> > On Aug 23, 2008, at 5:21 PM, Dirk Meyer wrote:
> >> UPnP is a working choice, but bad. Just google for it. Since it is
> >> based on HTTP attackers found a way to open ports on your
> >> router.
> > Having a open TCP port is not necessarily a security risk. It only
> > becomes a security risk if the server that listens to that port has
> > security problems.
> > Don't blame open TCP ports with mistakes of server programmers.
> The point is that app x can forward ports to app y. In my normal use
> this is no problem and I'm fine with it. I only have ssh open. But my
> parents use Windows and it has a lot of ports open with security
> bugs. I can not blame TCP for it, but I am very happy that a bug in
> Flash or something else can not open a forward on the router. So I
> like the fact that a NAT is some sort of firewall for my parents.
Of course it can open a connection, what's the difference in security
between an explicit *portforward* and an implicit *tracked connection*?
Sure it couldn't open ports for other apps (and this is a security bug
in the router imho, possibly based on flawed specs) but it doesn't
matter. It can forward the traffic itself if needed with no need to do
> >> Besides that, I do not like the idea that every app can open
> >> ports.
> > Well, how are they supposed to accept connections? And please don't
> > mention rfc2549 :).
> What is wrong with that? I live in the city, we have enough pidgins :)
> You are right, I would love to see it working that an app can open a
> port for services. No NAT problem. That would be very userfriendly.
> But to trust such thing for my parents I need to a way to make windows
> secure. I guess that is my main problem.
If this is the main problem, then it's not so bad ;).
> > Really, I think you should get used to it. With IPv6 (and yes, I'm a
> > believer :) ) you will (or at least I hope you will) lose that NAT
> > security barrier that we all grown so fond of, and the
> > responsibility of server software implementations will be much much
> > greater.
> I'm also a believer. I have a /64 network at home with public
> addresses. Very nice to have. But back to my parents: if they get IPv6
> I would install a firewall on the router to block most incoming
Sure you would. But aren't the techniques to go through stateful
firewalls you cannot configure similar to those for NAT?
And any "local admin" can allow specific ports with a suitable
documentation. So if the c2c connections use a specific port (as
configured in the client, we already did it for filetransfer), you can
just enable it.
A good router UI might possibly provide simple checkboxes like "Allow
Direct XMPP" and similar.
> > Personally, I think we will get user-level firewall APIs: you
> > negotiate a Jingle session with your peer and then open the
> > necessary ports with a source filter.
> Maybe use NAT-PMP and not UPnP. It only covers the forwarding and
> already works on some router. UPnP IGD may be supported by more router
> but IMHO NAT-PMP is the future.
Thanks a lot.
> > but getting back to our topic: you get to authenticate and check
> > certificates on that open TCP connections. If you don't trust that,
> > our protocol is flawed.
Jabber & Mail: pavlix(at)pavlix.net
More information about the Security