New ZeroConf Spec

[Dan Kegel]

On 7/27/06, Florian Zeitz <Florian.Zeitz at gmx.de> wrote:
> So lets look at what semi-open ports we have right now:
> 1. DNS - allows sending any packet addressed to any ip to any other
> mashine of the attackers which
> 2. DHCP - makes 1. possible by telling machines it's dns server. Can
> configure networks in non working ways.
>
> What we want to get:
> avahi - can show you services which *might* be unsecure if you use them.
>
> Now compare that. Do you really thing we open a door compared to a
> window

Yes.    Think about how badly you want Avahi/Zeroconf.  Why do you want it?
Because it makes it soooo easy to advertise and find services.
That also means it makes it very easy for malware or human attackers
to advertise bogus services.   That lowers the level of difficulty of
subverting a network considerably; instead of having to carefully craft
packets or catch a computer when it's making a DNS or DHCP request,
the attacker can now just tell Avahi to advertise a service, and the
bogus service is reliably available on all systems running Avahi!

> isn't it more like opening a window compared to a gate with a
> big "Hack me" sign above it.

No, it's not.  Wishing that Avahi is as secure as standard DNS won't make it so.

> An insecure network will always be insecure.

Translation: we're already insecure, so let's give up on security, and
add new features without worrying about the new holes they add.
Sorry, that's not a very compelling argument.

> To have the perfect security

I'm not looking for perfect security.  I just don't want something that's
ten times less secure than the status quo.

I'll shut up now for at least a week.  As I said earlier, it's clear that
the average person on this list wants Avahi so badly that they couldn't
care less about the security implications.  Perhaps they're right, and
the increased risk is worth it.  I don't think so, but sometimes
"worse is good",
as they say.
- Dan