Il 29 febbraio 2012 23:51, Simo Sorce <simo(a)redhat.com> ha
scritto:
> On Wed, 2012-02-29 at 10:09 -0700, Chris Murphy wrote:
>> On Feb 29, 2012, at 5:15 AM, drago01 wrote:
>>
>> > On Wed, Feb 29, 2012 at 1:02 PM, Neal Becker <ndbecker2(a)gmail.com>
wrote:
>> >> I think he's got a point
>> >>
>> >>
http://www.osnews.com/story/25659/Torvalds_requiring_root_password_for_mu...
>> >
>>
>> My example is mDNS being blocked in the Firewall by default *and* it requires a
root password to unblocked it. Completely retarded.
>
> Except that mDNS is a real security issue (because you can hijack name
> resolution quite easily with it).
Is it really any worse that real DNS spoofing? I mean, it is as easy
to reply fake data to a unicast DNS request, if I'm on the same subnet
(and thus can pretend to be the DNS server).
The same protections should be used, that is DNSSEC and end-to-end
authentication (SSH, TLS). This still leaves the real mdns area
unprotected, but this is to be expected, and it's just an UI issue
(that could be resolved once network zones land).
I am a big fan of network zones, it simplifies the concept for naive
users in a way that makes it usable.
Simo.
--
Simo Sorce * Red Hat, Inc * New York