Hi Mike,
On Thu, 26 Apr 2007, Mike Fitzpatrick wrote:
> Security
>
> The spoofing thing is a minor breach (IMHO), but I pointed it out
> more for the purpose of asking why an app would need to know its, or
> any other, ID in the first place. It seems to me this is entirely a
> construct in the Hub and shouldn't be part of the user interface since
> it presents some complications (which I'll point out in the use cases
> I've been neglecting to post).
> While this has a feel-good aura about it, I'd like to see the
> security put off to a later version unless somebody can convince me this
> is a real issue in a one-user, one-desktop system. Again, I'm just saying
> spoofing=silly_reason_to_have_appID_in_the_interface.
Security is not something I'm keen to have in just for the sake of it: what got me thinking about it was a scenario along following lines (this is a real situation which cropped up when PLASTICising GAIA): A certain application implements a message which can have serious side-effects (in my case it was executing some arbitrary Tcl code, which could include something along the lines of 'exec rm *'). With no security at all, there's nothing to stop another application (which may not be running under the user ID of the person running the hub) finding out or guessing the port where the hub resides, and sending a destructive message. The receiving application has no way of knowing that this is not from a legitimate participant in the messaging conversation.
What's needed to fix this is for requests to other applications (via the hub) to be only possible for applications which know something private to the user - this might be gathered from a (600) ~/.ivoamsg file or granted by the user explicitly permitting the hub to grant access to that program when it requests a connection.
In general the hub will have to be told which application is making a request to it in any case, so that it can inform other applications etc. Thus applications sending messages will need to provide some kind of self-id with these messages. So (I'd argue) it might as well be a private (hub-generated) one, since this removes worries about whether it's going to be unique and also prevents spoofing.
Mark
-- Mark Taylor Astronomical Programmer Physics, Bristol University, UK m.b.taylor@bris.ac.uk +44-117-928-8776 http://www.star.bris.ac.uk/~mbt/Received on 2007-04-27Z11:15:51