Re: Why all the open ports?

From: Derek Simkowiak <dereks kd-dev com>
To: Eric Kidd <eric kidd pobox com>
Cc: Miguel de Icaza <miguel helixcode com>,gnome-components-list gnome org
Subject: Re: Why all the open ports?
Date: Tue, 11 Jul 2000 17:51:21 -0700 (PDT)

->   * The ORBit libraries have (presumably) been audited,

	My understanding is that this is currently underway, not finished.

->     server code is moderately complex. It's certainly not something a
->     random C programmer could audit in an hour or two.

	Audits or not, an open port is ALWAYS a security risk!

->   * Gnome shouldn't listen on TCP/IP sockets. If users want to run
->     components on multiple machines, they should be using SSH and port
->     forwarding anyway--anything less exposes all CORBA traffic to network
->     sniffers, which is the Wrong Thing<tm>. (For the record, I feel the
->     same way about X's listener on port 6000.)
->   * Gnome shouldn't globally disable ORBit's TCP/IP support.

	I agree with these statements, although given the relationship
between Gnome and ORBit I don't know if the second one really makes sense 
from a technical perspective.

	Another Gnome security concern not yet addressed (except above :)
is the encryption of Gnome's CORBA communications.  Personally, I think
that encryption should be left to the VPN and that ORBit's network traffic
should be clear.  Leave encryption to the encryption experts, the makers
of SSH, vpnd, PPTP, and IPv6.


--Derek

Follow-Ups:
- Re: Why all the open ports?
  - From: Maciej Stachowiak

References:
- Re: Why all the open ports?
  - From: Eric Kidd

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]