[vlc-devel] [PATCH 9/9] lua: http: Announce the web interface over mdns

Wed Sep 9 14:01:06 CEST 2020

On Tue, Sep 8, 2020, at 4:51 PM, Rémi Denis-Courmont wrote:
> 	Hi,
> 
> Le tiistaina 8. syyskuuta 2020, 15.10.40 EEST Hugo Beauzée-Luyssen a écrit :
> > I agree there is much to do with regard to the web interface, and/or a new
> > remote control interface. However, I doubt that this is something we can
> > address, at least in its entirety, for VLC 4.
> 
> I don't think there is that much to do there. If we keep the existing HTTP 
> application layer and TLS, it's mostly about generating a key pair 
> automatically by calling some GnuTLS function (or spawning a child process).
> 
> Generating a token is not exactly hard or time-consuming, nor is linking a QR 
> code.
> 
> But that's not even very relevant. The question is not how much work there is. 
> The question is if it's reasonable to expose the interface before it is 
> secured.
> 
> > As Pierre noted, this set is aimed at simplifying pairing with a VLC remote,
> > hence the focus on announcing the HTTP interface. The core part is likely
> > to help us advertise future services though so it's ultimately not only for
> > remotes.
> 
> I think everybody agrees there. Advertising the web interface would be 
> completely pointless as browsers wouldn't pick the advertisement.
> 
> > With regards to the security implications of announcing the web interface,
> > given that someone is looking to perform malicious operations using the
> > HTTP interface, I don't see the difference between an explicit MDNS
> > announce and a quick port scan, beside maybe costing the attacked a few
> > seconds.
> 
> I have to disagree for 3.5 reasons.
> 
> 1) Port scanning might be viable on a large campus to find some always-on VLC. 
> Hopefully a strong enough password, and a decent network security policy 
> prevents breaking in. Advertising is telling everything on the local network 
> that you're there now. Any cheap stupid hacked IOT gadget or CPE can pick it 
> up and MITM, as can somebody else on a public WiFi.
> 
> There is definitely some overlap with port scanning, but it looks like orders 
> of magnitude worse exposure. It's also more visible and thus more prone to 
> hostile PR.
> 
> 
> 2a) The advertising in itself actually adds a MITM risk, as the remote 
> applications have no means to distinguish the legitimate announces from 
> attacker's. Currently at least the user has to verify the IP address. So it's 
> not just adding exposure to the existing insecure interface, it's actually 
> making the sethings even more insecure.
> 

I don't understand the concept of MITM when announcing an identify. I get that an attacker could try and impersonate a running VLC but then you end up with 2 VLCs with a different IP, and that should instruct anyone to check why there are 2, and which one to connect to, if not giving up before finding out why there are duplicated records.

> 2b) It's not even clear that the proposed API (patch 1) can sustain the 
> hypothetical secure control interface. In fact, it looks very much like it 
> can't, as there are no ways to tie the announce to any kind of identity.
> 

I'm not sure to understand that point, you have the service name, type, additional TXTs, and IP/hostname. That's as far as MDNS goes (AFAIK)

> 
> 3) There is no sunset strategy for advertising the non-secure interface. If we 
> cannot even agree to remove an obscure user-hostile feature that literally 
> never worked like VLM schedules, how are we ever going to remove this user 
> friendliness feature if it gets merged?
> 

Discussing until reaching consensus, I suppose, but why would we need a sunset strategy for something that isn't merged when the issue appears to be an already merged feature.

I feels to me like this is something the users should be warned about, and could advertise at their own risks, but IMO the risk is rather low in most environment

-- 
  Hugo Beauzée-Luyssen
  hugo at beauzee.fr