[vlc-devel] [PATCH 9/9] lua: http: Announce the web interface over mdns

Rémi Denis-Courmont remi at remlab.net
Fri Sep 4 15:53:26 CEST 2020


Le perjantaina 4. syyskuuta 2020, 11.16.26 EEST Hugo Beauzée-Luyssen a écrit :
> On Fri, Sep 4, 2020, at 7:58 AM, Pierre Ynard via vlc-devel wrote:
> > _______________________________________________
> > vlc-devel mailing list
> > To unsubscribe or modify your subscription options:
> > https://mailman.videolan.org/listinfo/vlc-devel
> > Attachments:
> > * Email.eml
> > 
> > It's not just about security. Since when is it okay for VLC to report
> > 
> >  or advertise to third parties and the outside world what it's doing,
> > 
> > without the user's consent?
> 
> We agree that it shouldn't be enabled without user consent, but I think that
> was Alexandre's point
> > As for the password-protected part, it is very problematic too in
> > several ways.
> 
> Could you elaborate?

I can't read Pierre's mind, but the password is just a poor excuse for 
security:

1) Most users don't realise just how powerful the HTTP interface is and 
accordingly how critical the password is, and set something trivial. This is 
aggravated by the lack of brute force mitigation.

2) Even if they do realise the impact of the HTTP interface, they may not 
realise that it's sent in cleartext. If they reuse an usual password of 
theirs, it can be stolen for identity theft.

3) In the unlikely event that a strong and unique password is used, since it 
is sent in cleartext, and the commands are no integrity-protected, it does not 
really protect much anything.

-- 
Rémi Denis-Courmont
http://www.remlab.net/





More information about the vlc-devel mailing list