[vlc-devel] [PATCH 9/9] lua: http: Announce the web interface over mdns

Hugo Beauzée-Luyssen hugo at beauzee.fr
Tue Sep 8 14:10:40 CEST 2020 

On Sun, Sep 6, 2020, at 9:02 AM, Rémi Denis-Courmont wrote:
> Le sunnuntaina 6. syyskuuta 2020, 6.15.34 EEST Pierre Ynard via vlc-devel a 
> écrit :
> > - a remote control interface designed around the idea of not allowing
> >   full access to full VLC capabilities by default: perhaps safe/advanced
> >   modes (with advanced disabled by default), several levels of
> >   authorization, or granting access to each client on a feature basis
> >   (local media, optical drives, network inputs, stream output...)
> >   similarly to the OS permission model for smartphone applications.
> 
> That's far less actionable than just keeping the current functionality and 
> adding authentication, integrity, confidentiality on top. People would just 
> enable everything, and we'd be back again with a cop-out instead of real 
> security, like the password now, and the ACL before it.
> 
> I kept "secure remote control interface, with user-friendly pairing and 
> what-not" abstract because there are many ways to do it. But if you need an 
> *example*, you can just:
> - on first run, automatically generate a private key,
> - generate a self-signed x509 certificate for the private key,
> - use it as server-side certificate within TLS,
> - when adding (pairing) a new client, display a QR code contaning:
>   - the fingerprint of the certificate,
>   - a pseudo-random authentication token for the client to pass via Basic or 
> Token HTTP authentication.
> 
> This is far from perfect. For instance, you would probably want to keep a list 
> of paired devices so that you can revoke them.
> 
> The application can just scan the QR code. It has all the data it needs to 
> authenticate the server (fingerprint) and to authenticate itself to the server 
> (token). Of course, this requires remote control applications to actually 
> implement this. There is no such thing as a free lunch. But while we cannot 
> change web browsers, we *can* strong-arm VLC remotes.
> 

Hi,

Thanks for the detailed answers.

I agree there is much to do with regard to the web interface, and/or a new remote control interface. However, I doubt that this is something we can address, at least in its entirety, for VLC 4.

As Pierre noted, this set is aimed at simplifying pairing with a VLC remote, hence the focus on announcing the HTTP interface. The core part is likely to help us advertise future services though so it's ultimately not only for remotes. 

I agree that advertising without user's consent is a no go, and I overlooked that in the first version. The new set has a setting that defaults to false, so user consent is explicitly asked for.

With regards to the security implications of announcing the web interface, given that someone is looking to perform malicious operations using the HTTP interface, I don't see the difference between an explicit MDNS announce and a quick port scan, beside maybe costing the attacked a few seconds. As far as I can see, when you enable the HTTP interface, you are indirectly advertising it in your local network anyway. Announcing it over MDNS doesn't change much for attackers, but it does help legitimate users who want to setup their remote apps.

Regards,

-- 
  Hugo Beauzée-Luyssen
  hugo at beauzee.fr

More information about the vlc-devel mailing list