Re: Disable ZeroConf: how to ?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi,
Am Do den 3. Mär 2011 um 11:25 schrieb Tollef Fog Heen:
> Then just don't use it? Nobody is forcing you to.
[...]
> | And even if you not care about, then that functionality should be
> | explicit configured and not per default.
>
> That makes it much less useful. On the other hand, it's not like your
> system will suddenly go around connecting to random services just
> because it sees them announced.
So you contradict yourself within two paragraphs. It makes it less
useful to enable it only on manual intervention (say, it should be
enabled automatic) but on the other hand you say that nobody is forcing
me (or others) to use it. How do that plays together?
> Oh, I quite like services to announce themselves so I can just do ssh
> foo.local. Not everything gets set up in DNS and ssh caches the host
> key so doing a mitm attack after the initial handshake is prevented.
Not ever service has that security fence.
> Except zeroconf isn't routed so to be able to exploit it you need to be
> on the same physical segment?
Physical might be relative with wireless networks. But you are true,
that isn't routed (good thanks), but that hinders it only from taking
down the whole net.
> If you have found any bugs where network sinks are used automatically
> please file bugs about that.
Oh, there is no change of that as I never ever will use such stuff.
> Really, if you want to disable avahi, please feel free to do so on your
> systems.
That the discussion is about, yes. And the pressure some dependencies
bring in.
> Or use a firewall, or both.
It is told on other places that firewalling is not the solution.
> Debian has a fair balance of functionality, security and convenience
> out of the box,
Unfortunately some people on debian started to place convenience much
higher as security. I think that is a dangerous trend. Debian gives up
more and more security for convenience.
> if you disagree with the current balance, feel free to invest the work
> into making it possible to harden Debian further.
Oh, I did. I am not a DD and involved myself in some discussions about
that. But finally I found out that the force of (some) DDs is higher
than mine and that they misuse it. So I am only able to fix that issues
I have locally and share the hardened packages to others on a private
repository. That is not great but sometimes it is the only workable way.
And it is no easy way.
Regards
Klaus
- --
Klaus Ethgen http://www.ethgen.ch/
pub 2048R/D1A4EDE5 2000-02-26 Klaus Ethgen <Klaus@Ethgen.de>
Fingerprint: D7 67 71 C4 99 A6 D4 FE EA 40 30 57 3C 88 26 2B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBTW9zVZ+OKpjRpO3lAQrwpAf+Nr0JUdpUpSeyyFKSRXGEbsxibvBbORWm
j6DYb4QhwftUx75Kj/7dVQtu9MrGYzykHjUxTPyM00jRfjSOgcCzMdFPt3NXEWtG
WeCXFrtsFW+1ulQQY+3p9QSGlR1PwduEhWKrhIDMwbatLdFHCl/JoQk2dRj2Tkza
33HHca1zrfeCslqbeemrsKSDo0m3WT94futvFNwpJGVBgDBhRuhBHqvgEC3HNrJj
HmdYE14nnAI4qPjRkPYe4lRFI6A1geET30ToHfY/xVOS6FuvTlJmWI/U1CDr/6YI
71OE65YEl1UzJu5U2LpcubkG1sHrdl3kNAJobNuABQPJRStPROA/Lg==
=nivA
-----END PGP SIGNATURE-----
Reply to: