New ZeroConf Spec

Micah J. Cowan micah at cowan.name
Thu Jul 20 22:07:57 BST 2006 

On Thu, Jul 20, 2006 at 10:35:59PM +0200, Florian Zeitz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Micah J. Cowan wrote:
> > zeroconf is a *completely* different beast from E-mail, IM, or Web
> > browsing. All of these /make/ connections, but don't receive them, and
> > certainly none of them blindly accept connections from any host that
> > chooses to speak with them. There is no inherent problem to firing up a
> > mail agent: the security problems have always been with once you
> > specifically read a malicious e-mail (I'm talking about MUAs here, not
> > MTAs). There is no inherent problem to firing up a web-browser: security
> > problems have always had to do with specifically viewing a particular
> > site.
> > 
> > With zeroconf, there are serious passive security issues. It should
> > /never/ be activated without explicit choice on the part of the user.
> > Now, that explicit choice /could/ be to say: allow all further request
> > for zeroconf without pestering me, but it still needs to be explicit (it
> > should never be set up that way by default.
> 
> This is not true. Just the fact that a program is receiving data is
> technically enough to make it possible to use a theoretical exploit and
> I don't think that there are necessarily more of them hidden in avahi
> than in Evolution, Firefox or Gaim.

You'll not that I said that, if you read my first paragraph. But in all
those cases, you specifically choose who you are receiving messages
from. In zeroconf, you don't really.

It's one thing to talk about "theoretical" exploits where there is no
theory: that is, you can talk about buffer overflows or whatnot, but
unless you can prove there is buffer mishandling, you don't _know_ it's
there (not that I'm saying you should assume it isn't).

With ZeroConf, by definition you're reconfiguring your system based on
the input. It's not guesswork: you /know/ the exploit, and it's not
theoretical.

> But that wasn't the point, the point is that the user must be aware that
> he currently is running something that is potentially dangerous.
> Also if there are right now passive security issues you know of, I'd
> like to hear them and you should file them as bugs.

They're not bugs, they're by design. The system, at least as it has been
described, is inherently insecure, and may only be used if the user
implicitly trusts the network on which he resides, as well as their
ability to firewall bad packets that avahi might use.

I don't use Avahi, so perhaps I've been misled. But according to what I
understand from descriptions on this mailing list, it will keep an open
listen on a known UDP port, accepting any packet fed to it, all of which
are capable of altering its knowledge of the Domain Name System. If all
of this is correct, then I don't know why we're arguing about whether it
has secuirty issues or not: it is _trivial_ to demonstrate how DNS
poisioning can lead to serious problems for the unwary (and even the
wary) user.

ZeroConf-installed-by-default may be a good idea. For some other distro.
Asking the developers of a distro with a solid and commendable security
policy just to throw it out the window for such a small benefit is
silly.

-- 
Micah J. Cowan
Programmer, musician, typesetting enthusiast, gamer...
http://micah.cowan.name/

More information about the ubuntu-devel mailing list