[vlc-devel] [PATCH 9/9] lua: http: Announce the web interface over mdns
Rémi Denis-Courmont
remi at remlab.net
Fri Sep 4 15:53:26 CEST 2020
Le perjantaina 4. syyskuuta 2020, 11.16.26 EEST Hugo Beauzée-Luyssen a écrit :
> On Fri, Sep 4, 2020, at 7:58 AM, Pierre Ynard via vlc-devel wrote:
> > _______________________________________________
> > vlc-devel mailing list
> > To unsubscribe or modify your subscription options:
> > https://mailman.videolan.org/listinfo/vlc-devel
> > Attachments:
> > * Email.eml
> >
> > It's not just about security. Since when is it okay for VLC to report
> >
> > or advertise to third parties and the outside world what it's doing,
> >
> > without the user's consent?
>
> We agree that it shouldn't be enabled without user consent, but I think that
> was Alexandre's point
> > As for the password-protected part, it is very problematic too in
> > several ways.
>
> Could you elaborate?
I can't read Pierre's mind, but the password is just a poor excuse for
security:
1) Most users don't realise just how powerful the HTTP interface is and
accordingly how critical the password is, and set something trivial. This is
aggravated by the lack of brute force mitigation.
2) Even if they do realise the impact of the HTTP interface, they may not
realise that it's sent in cleartext. If they reuse an usual password of
theirs, it can be stolen for identity theft.
3) In the unlikely event that a strong and unique password is used, since it
is sent in cleartext, and the commands are no integrity-protected, it does not
really protect much anything.
--
Rémi Denis-Courmont
http://www.remlab.net/
More information about the vlc-devel
mailing list