On Thu, 2006-07-27 at 03:51 -0700, Dan Kegel wrote:
> I think what you're saying is "hostnames are
useless for security with mDNS",
> and I agree.
I agree too. But I also think that hostnames (by themselves)
are fairly
useless for security with normal DNS.
> Currently, many applications assume that hostnames
actually mean something,
> and use hostnames to identify resources. (For
instance, ssh, cups,
> and web browsers.) I think those two facts together
mean that
> anyone who uses ssh, cups, or web browsers probably
shouldn't use mDNS.
For authentication of host identity (which is what I assume
you mean by
hostname security) SSH uses RSA/DSA keys to ensure the host
you're
connecting to is the right one. HTTPS uses X.509
certificates for a
similar purpose.
If you're using normal HTTP, you can't be sure that
you're connecting to
the site you think you are. There are many points along the
line where
someone can alter DNS records, from a machine on the local
network
snooping and spoofing repies, to upstream DNS cache
poisoning, and
deliberate acts of hijacking by your ISP[0].
> So, when we switch on Avahi and enter the brave new
world of
> meaningless hostnames, how will we know which services
to trust?
The same way you know which services to trust with normal
DNS: having
the hosts provide some form of proof-of-identity, like
digital
certificates, shared passwords or public-key authentication.
[0] during an "Australian Idol" TV final a while
back, they left off the
trailing .au of the winner's site - the site they named (on
prime-time
commercial TV) was that of a deceased male porn star.
Australia's
largest ISP altered their response to dns requests for the
.com site to
point to the .com.au one.
Cheers,
James "Doc" Livingston
--
If you have any trouble sounding condescending, find a Unix
user to show
you how it's done. - Scott Adams
--
ubuntu-devel mailing list
ubuntu-devel lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
|
--
Jan Claeys
--
ubuntu-devel mailing list
ubuntu-devel