Google's 'Project Zero' security effort just disclosed a DNS rebinding vulnerability in at least one popular Bittorrent client. There's some interesting description which helps me understand how it works:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1447 https://arstechnica.com/information-technology/2018/01/bittorrent-users-beware-flaw-lets-hackers-control-your-computer/ First off, I think this supports our decision to have token authentication enabled by default, even though it's inconvenient in some situations. As I understand it, this should prevent DNS rebinding attacks from taking any action that requires authentication. Second, the fix Tavis Ormandy suggested for Transmission is interesting: """ I discussed this with a jannh, I think a good solution would work like this: * If a connection is over the loopback interface, the hostname must match "localhost", "localhost.", "127.0.0.1", or "[::1]". This is the same list CUPS uses: https://github.com/apple/cups/blob/master/scheduler/client.c#L3752 * If a connection is not over loopback, allow any hostname iff auth is enabled. * If a connection is not over loopback and auth is not enabled, require the user to create a whitelist of acceptable hostnames (They can specify * if they really really don't want security). """ Should we look at employing hostname whitelisting in addition to authentication, either as an extra line of defence or as a convenience for users on localhost? My leaning would be to do it as an extra line of defence; given how complex browsers are and the fact that Jupyter is designed to execute arbitrary code, defence in depth makes sense. Thomas -- You received this message because you are subscribed to the Google Groups "Project Jupyter" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/CAOvn4qiNK_CrmtUx9rhwW%3D6zYu8meaPGDKE3C3pS4uhMc742MA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
