[vlc-devel] [PATCH 9/9] lua: http: Announce the web interface over mdns

Marvin Scholz epirat07 at gmail.com
Fri Sep 4 21:30:16 CEST 2020



On 4 Sep 2020, at 16:47, Rémi Denis-Courmont wrote:

> 	Hi,
>
> Le torstaina 3. syyskuuta 2020, 12.59.06 EEST Alexandre Janniaux a 
> écrit :
>> I agree that it must not be exposed (even on local network)
>> until HTTP is a bit more secure,
>
> "HTTP" is not getting "a bit more secure".
>
> We can define a secure remote control interface, with user-friendly 
> pairing and
> what-not, for VLC remote control applications to use. Then we can 
> advertise on
> the local network it for autodetection. I would be tempted to use CoAP 
> rather
> than HTTP, but we can stick to HTTP or do both.
>
> However, that would not be "HTTP" in the sense that it would not be a 
> (secure)
> web site that can be readily opened in a web browser, even if the 
> application
> layer could still be HTTP. In other words, the remote control 
> interface would
> no longer be confounded with the AJAX backend of the web interface.
>

I agree with Remi. It seems like a much better idea to instead
advertise a proper remote control API/protocol instead of the HTTP
interface as a whole…

>> but it is probably ok if
>> disabled by default and enabled through an option.
>
> Bad Idea™.
>
> I think it's a miracle that we've gotten so little negative press 
> about the
> HTTP interface. Adding network advertisement is like painting a cross 
> aim over
> it for infosec folks.
>
> -- 
> Rémi Denis-Courmont
> http://www.remlab.net/
>
>
>
> _______________________________________________
> vlc-devel mailing list
> To unsubscribe or modify your subscription options:
> https://mailman.videolan.org/listinfo/vlc-devel


More information about the vlc-devel mailing list