On Feb 29, 2012, at 3:51 PM, Simo Sorce wrote:
On Wed, 2012-02-29 at 10:09 -0700, Chris Murphy wrote:
>
> My example is mDNS being blocked in the Firewall by default *and* it requires a root
password to unblocked it. Completely retarded.
Except that mDNS is a real security issue (because you can hijack name
resolution quite easily with it).
Fair enough but then I'd argue mDNS's present method of dealing with hijacking. If
two clients respond with the same name, it seems that all other clients on the network
should blacklist both clients rather than trusting the one that answers first. Disabling
it entirely is the granularity of a large hammer. mDNS is still much more useful than not
useful, and more useful than statistically risky, despite being highly spoofable.
That said I understand your pain and the realize the current solution
is
not ideal for the casual user. Maybe we should have 2 security profiles
(lax and strict) that you can choose at install time so that people can
choose what they like best.
I was under the impression F17 was going to have a different firewall, such that mDNS was
going to be enabled if a service, such as sshd, was enabled and also has an Avahi service
listing. Or something like that.
Chris Murphy