New ZeroConf Spec

[Florian Zeitz]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dan Kegel schrieb:
>> Actually that is not the way I understood zeroconf, or at least not as
>> the main point behind it. AFAIK it's main purpose is to advertise
>> services to other users on the network.
> 
> And to *receive* those advertisements, in a highly indiscriminate manner.
> ANYBODY can advertise a service, even a rogue node.
> And there is *no* security built into Avahi that can protect users from
> accidentally using a rogue service offered by a compromosed node on the
> local
> network.
> - Dan
> 

Excuse me, but you'll have to explain this to me. From what I understand
 you receive advertisements from a remote machine be it a rogue one or
not. After that you know that a service is available. To this point
nothing bad has happened (unless avahi is vulnerable to something just
in it's advertisement receiving code).
Now it's up to you whether you want to use that service or not. This is
hardly worth than finding an executable on a random place on the
internet. It's not like the user gets messages like "Hey we found a
service you should definitely try it out, you can absolutely trust it
and it's just great". Also the application that uses the service has to
be somehow vulnerable.
Of course this can alway be the case, that's why it should be off by
default, but should be available easy enough.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)

iD8DBQFEwAZe0JXcdjR+9YQRAhr9AJ44irJS2XBRLjisGEmsjAPd2JdaWwCfW+CE
tEGDJ9dti7vmY2/qv90WNoc=
=qrLj
-----END PGP SIGNATURE-----