Hi,
David Holmes je 22. 12. 2017 ob 01:35 napisal:
On 22/12/2017 10:29 AM, Steven Schlansker wrote:
On Dec 21, 2017, at 11:11 AM, Steven Schlansker
<stevenschlans...@gmail.com> wrote:
What if ConnectException included the attempted hostname / IP / port
SocketAddress?
java.net.ConnectException: Connection to
'foo.mycorp.com[10.x.x.x]:12345' refused
Much more useful! This could also be extended to various other
socket exceptions.
I believe there are concerns with too much information that can be
considered "sensitive" (like host names and IP addresses) appearing in
error messages due to them ending up in log files and bug reports.
David
For debugging purposes it might sometimes be enough to get just a hint
about the actual address / port but not reveal it entirely. The person
doing debugging probably knows more about the environment than an
average person so the hint might give him enough information to discern
the actual address / port. Exposing just the last octet of an IP address
and the last digit of the port might do. For example:
java.net.ConnectException: Connection to X.X.X.205:XXX8 refused.
So Steven, I'm curious whether such hint would help in your case?
An attacker that knows something about the environment could find out
the missing pieces without such hints anyway (simply by scanning IPs /
ports), so such partial information is not that sensitive nowadays.
Another idea: define a one way function that maps the IP:port pair into
a value which is displayed in the exception message. For debugging
purposes this might be enough since the one doing debugging might know
the set of possible IP:port pairs in advance. He could then apply the
function to each of them in turn and find out the matching pair.
Regards,
Peter
