[Security] client-to-client security :: Summary and todo's

Pavel Simerda pavlix at pavlix.net
Sun Aug 24 04:20:30 CDT 2008


On Sun, 24 Aug 2008 10:50:03 +0200
Dirk Meyer <dmeyer at tzi.de> wrote:

> Pedro Melo wrote:
> > Hi,
> >
> > On Aug 23, 2008, at 5:21 PM, Dirk Meyer wrote:
> >> UPnP is a working choice, but bad. Just google for it. Since it is
> >> based on HTTP attackers found a way to open ports on your
> >> router.
> >
> > Having a open TCP port is not necessarily a security risk. It only
> > becomes a security risk if the server that listens to that port has
> > security problems.
> >
> > Don't blame open TCP ports with mistakes of server programmers.
> 
> The point is that app x can forward ports to app y. In my normal use
> this is no problem and I'm fine with it. I only have ssh open. But my
> parents use Windows and it has a lot of ports open with security
> bugs. I can not blame TCP for it, but I am very happy that a bug in
> Flash or something else can not open a forward on the router. So I
> like the fact that a NAT is some sort of firewall for my parents.

Of course it can open a connection, what's the difference in security
between an explicit *portforward* and an implicit *tracked connection*?

Sure it couldn't open ports for other apps (and this is a security bug
in the router imho, possibly based on flawed specs) but it doesn't
matter. It can forward the traffic itself if needed with no need to do
portforwards.

> 
> >> Besides that, I do not like the idea that every app can open
> >> ports.
> >
> > Well, how are they supposed to accept connections? And please don't
> > mention rfc2549 :).
> 
> What is wrong with that? I live in the city, we have enough pidgins :)
> 
> You are right, I would love to see it working that an app can open a
> port for services. No NAT problem. That would be very userfriendly.
> But to trust such thing for my parents I need to a way to make windows
> secure. I guess that is my main problem.

If this is the main problem, then it's not so bad ;).

> > Really, I think you should get used to it. With IPv6 (and yes, I'm a
> > believer :) ) you will (or at least I hope you will) lose that NAT
> > security barrier that we all grown so fond of, and the
> > responsibility of server software implementations will be much much
> > greater.
> 
> I'm also a believer. I have a /64 network at home with public
> addresses. Very nice to have. But back to my parents: if they get IPv6
> I would install a firewall on the router to block most incoming
> connections.

Sure you would. But aren't the techniques to go through stateful
firewalls you cannot configure similar to those for NAT?

And any "local admin" can allow specific ports with a suitable
documentation. So if the c2c connections use a specific port (as
configured in the client, we already did it for filetransfer), you can
just enable it.

A good router UI might possibly provide simple checkboxes like "Allow
Direct XMPP" and similar.

> > Personally, I think we will get user-level firewall APIs: you
> > negotiate a Jingle session with your peer and then open the
> > necessary ports with a source filter.
> 
> Maybe use NAT-PMP and not UPnP. It only covers the forwarding and
> already works on some router. UPnP IGD may be supported by more router
> but IMHO NAT-PMP is the future.
> 
> http://files.dns-sd.org/draft-cheshire-nat-pmp.txt
> 

Thanks a lot.

> > but getting back to our topic: you get to authenticate and check
> > certificates on that open TCP connections. If you don't trust that,
> > our protocol is flawed.
> 
> Agreed.
> 
> 
> Dirk
> 


-- 

Web: http://www.pavlix.net/
Jabber & Mail: pavlix(at)pavlix.net
OpenID: pavlix.net


More information about the Security mailing list