Hi Thomas, Thanks for the heads up, this is nice description. I think it's a good idea to add this extra line of defense, and a flag to disable it with a big warning, to give some people the time to upgrade the ability to update the notebook server without deploying a large change to their infrastructure.
Thanks ! -- Matthias On 16 January 2018 at 12:18, Thomas Kluyver <[email protected]> wrote: > Google's 'Project Zero' security effort just disclosed a DNS rebinding > vulnerability in at least one popular Bittorrent client. There's some > interesting description which helps me understand how it works: > > https://bugs.chromium.org/p/project-zero/issues/detail?id=1447 > https://arstechnica.com/information-technology/2018/ > 01/bittorrent-users-beware-flaw-lets-hackers-control-your-computer/ > > First off, I think this supports our decision to have token authentication > enabled by default, even though it's inconvenient in some situations. As I > understand it, this should prevent DNS rebinding attacks from taking any > action that requires authentication. > > Second, the fix Tavis Ormandy suggested for Transmission is interesting: > > """ > > I discussed this with a jannh, I think a good solution would work like this: > > * If a connection is over the loopback interface, the hostname must match > "localhost", > "localhost.", "127.0.0.1", or "[::1]". This is the same list CUPS uses: > https://github.com/apple/cups/blob/master/scheduler/client.c#L3752 > * If a connection is not over loopback, allow any hostname iff auth is > enabled. > * If a connection is not over loopback and auth is not enabled, require the > user to > create a whitelist of acceptable hostnames (They can specify * if they > really > really don't want security). > """ > > Should we look at employing hostname whitelisting in addition to > authentication, either as an > extra line of defence or as a convenience for users on localhost? > > My leaning would be to do it as an extra line of defence; given how complex > browsers are and > the fact that Jupyter is designed to execute arbitrary code, defence in depth > makes sense. > > Thomas > > -- > You received this message because you are subscribed to the Google Groups > "Project Jupyter" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/jupyter/CAOvn4qiNK_CrmtUx9rhwW%3D6zYu8meaPGDKE3C3pS4uhMc742MA > %40mail.gmail.com > <https://groups.google.com/d/msgid/jupyter/CAOvn4qiNK_CrmtUx9rhwW%3D6zYu8meaPGDKE3C3pS4uhMc742MA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Project Jupyter" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/CANJQusWHdW4Cn8hC4iv_LN3%3DP8pRHdrLYasqmzBL_qwN357iVA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
