[vlc-devel] [PATCH 9/9] lua: http: Announce the web interface over mdns

Pierre Ynard linkfanel at yahoo.fr
Tue Sep 8 14:50:09 CEST 2020 

> I agree there is much to do with regard to the web interface, and/or a
> new remote control interface. However, I doubt that this is something we
> can address, at least in its entirety, for VLC 4.

That's fine, there's no rush to add that advertisement feature in
VLC 4 either. What I mean is that as I said, we don't need another
not-yet-ready lua feature crammed into the next release because we gotta
have it: that reasoning is not a justification, on the contrary.

> As Pierre noted, this set is aimed at simplifying pairing with a VLC
> remote, hence the focus on announcing the HTTP interface. The core part
> is likely to help us advertise future services though so it's ultimately
> not only for remotes. 

Technically, what it should advertise then is the HTTP API back end
(XML/JSON request handlers powered by httprequests.lua), which is that
remote control interface here, rather than the web interface front end
at the root. But I don't know whether and how that difference translates
and is relevant to mDNS.

> With regards to the security implications of announcing the web
> interface, given that someone is looking to perform malicious
> operations using the HTTP interface, I don't see the difference
> between an explicit MDNS announce and a quick port scan, beside maybe
> costing the attacked a few seconds. As far as I can see, when you
> enable the HTTP interface, you are indirectly advertising it in your
> local network anyway. Announcing it over MDNS doesn't change much for
> attackers, but it does help legitimate users who want to setup their
> remote apps.

We can agree to disagree here. The whole point about subscribing to the
botnet is that it moves you in scope from orders of magnitude, from
active targeted attacks to bulk exploitation and automated worms with
a life of their own. It's true that it would be possible, through port
scanning, to collect databases of exploitable open VLC web interfaces to
bring it to the bulk scale, but mass scanning from the internet doesn't
affect LANs, and mDNS services are inheritly meant to be registered and
listed so it just doesn't seem comparable to me.

-- 
Pierre Ynard
"Une âme dans un corps, c'est comme un dessin sur une feuille de papier."

More information about the vlc-devel mailing list