On Feb 29, 2012, at 3:51 PM, Simo Sorce wrote:
> On Wed, 2012-02-29 at 10:09 -0700, Chris Murphy wrote: >> >> My example is mDNS being blocked in the Firewall by default *and* it >> requires a root password to unblocked it. Completely retarded. > > Except that mDNS is a real security issue (because you can hijack name > resolution quite easily with it). Fair enough but then I'd argue mDNS's present method of dealing with hijacking. If two clients respond with the same name, it seems that all other clients on the network should blacklist both clients rather than trusting the one that answers first. Disabling it entirely is the granularity of a large hammer. mDNS is still much more useful than not useful, and more useful than statistically risky, despite being highly spoofable. > That said I understand your pain and the realize the current solution is > not ideal for the casual user. Maybe we should have 2 security profiles > (lax and strict) that you can choose at install time so that people can > choose what they like best. I was under the impression F17 was going to have a different firewall, such that mDNS was going to be enabled if a service, such as sshd, was enabled and also has an Avahi service listing. Or something like that. Chris Murphy -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
