[vlc-devel] [PATCH 9/9] lua: http: Announce the web interface over mdns
Rémi Denis-Courmont
remi at remlab.net
Sun Sep 6 09:02:48 CEST 2020
Le sunnuntaina 6. syyskuuta 2020, 6.15.34 EEST Pierre Ynard via vlc-devel a
écrit :
> - a remote control interface designed around the idea of not allowing
> full access to full VLC capabilities by default: perhaps safe/advanced
> modes (with advanced disabled by default), several levels of
> authorization, or granting access to each client on a feature basis
> (local media, optical drives, network inputs, stream output...)
> similarly to the OS permission model for smartphone applications.
That's far less actionable than just keeping the current functionality and
adding authentication, integrity, confidentiality on top. People would just
enable everything, and we'd be back again with a cop-out instead of real
security, like the password now, and the ACL before it.
I kept "secure remote control interface, with user-friendly pairing and
what-not" abstract because there are many ways to do it. But if you need an
*example*, you can just:
- on first run, automatically generate a private key,
- generate a self-signed x509 certificate for the private key,
- use it as server-side certificate within TLS,
- when adding (pairing) a new client, display a QR code contaning:
- the fingerprint of the certificate,
- a pseudo-random authentication token for the client to pass via Basic or
Token HTTP authentication.
This is far from perfect. For instance, you would probably want to keep a list
of paired devices so that you can revoke them.
The application can just scan the QR code. It has all the data it needs to
authenticate the server (fingerprint) and to authenticate itself to the server
(token). Of course, this requires remote control applications to actually
implement this. There is no such thing as a free lunch. But while we cannot
change web browsers, we *can* strong-arm VLC remotes.
--
雷米‧德尼-库尔蒙
http://www.remlab.net/
More information about the vlc-devel
mailing list