Re: Why all the open ports?



->   * The ORBit libraries have (presumably) been audited,

	My understanding is that this is currently underway, not finished.

->     server code is moderately complex. It's certainly not something a
->     random C programmer could audit in an hour or two.

	Audits or not, an open port is ALWAYS a security risk!

->   * Gnome shouldn't listen on TCP/IP sockets. If users want to run
->     components on multiple machines, they should be using SSH and port
->     forwarding anyway--anything less exposes all CORBA traffic to network
->     sniffers, which is the Wrong Thing<tm>. (For the record, I feel the
->     same way about X's listener on port 6000.)
->   * Gnome shouldn't globally disable ORBit's TCP/IP support.

	I agree with these statements, although given the relationship
between Gnome and ORBit I don't know if the second one really makes sense 
from a technical perspective.

	Another Gnome security concern not yet addressed (except above :)
is the encryption of Gnome's CORBA communications.  Personally, I think
that encryption should be left to the VPN and that ORBit's network traffic
should be clear.  Leave encryption to the encryption experts, the makers
of SSH, vpnd, PPTP, and IPv6.


--Derek





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]