[vlc-devel] [PATCH 9/9] lua: http: Announce the web interface over mdns

Rémi Denis-Courmont remi at remlab.net
Tue Sep 8 16:51:41 CEST 2020 

	Hi,

Le tiistaina 8. syyskuuta 2020, 15.10.40 EEST Hugo Beauzée-Luyssen a écrit :
> I agree there is much to do with regard to the web interface, and/or a new
> remote control interface. However, I doubt that this is something we can
> address, at least in its entirety, for VLC 4.

I don't think there is that much to do there. If we keep the existing HTTP 
application layer and TLS, it's mostly about generating a key pair 
automatically by calling some GnuTLS function (or spawning a child process).

Generating a token is not exactly hard or time-consuming, nor is linking a QR 
code.

But that's not even very relevant. The question is not how much work there is. 
The question is if it's reasonable to expose the interface before it is 
secured.

> As Pierre noted, this set is aimed at simplifying pairing with a VLC remote,
> hence the focus on announcing the HTTP interface. The core part is likely
> to help us advertise future services though so it's ultimately not only for
> remotes.

I think everybody agrees there. Advertising the web interface would be 
completely pointless as browsers wouldn't pick the advertisement.

> With regards to the security implications of announcing the web interface,
> given that someone is looking to perform malicious operations using the
> HTTP interface, I don't see the difference between an explicit MDNS
> announce and a quick port scan, beside maybe costing the attacked a few
> seconds.

I have to disagree for 3.5 reasons.

1) Port scanning might be viable on a large campus to find some always-on VLC. 
Hopefully a strong enough password, and a decent network security policy 
prevents breaking in. Advertising is telling everything on the local network 
that you're there now. Any cheap stupid hacked IOT gadget or CPE can pick it 
up and MITM, as can somebody else on a public WiFi.

There is definitely some overlap with port scanning, but it looks like orders 
of magnitude worse exposure. It's also more visible and thus more prone to 
hostile PR.


2a) The advertising in itself actually adds a MITM risk, as the remote 
applications have no means to distinguish the legitimate announces from 
attacker's. Currently at least the user has to verify the IP address. So it's 
not just adding exposure to the existing insecure interface, it's actually 
making the sethings even more insecure.

2b) It's not even clear that the proposed API (patch 1) can sustain the 
hypothetical secure control interface. In fact, it looks very much like it 
can't, as there are no ways to tie the announce to any kind of identity.


3) There is no sunset strategy for advertising the non-secure interface. If we 
cannot even agree to remove an obscure user-hostile feature that literally 
never worked like VLM schedules, how are we ever going to remove this user 
friendliness feature if it gets merged?

-- 
レミ・デニ-クールモン
http://www.remlab.net/

More information about the vlc-devel mailing list