> My leaning would be to do it as an extra line of defence; given how complex browsers are and the fact that Jupyter is designed to execute arbitrary code, defence in depth makes sense.
I would be +1 on this. Cheers. 2018-01-16 12:44 GMT-03:00 Matthias Bussonnier <[email protected] >: > Hi Thomas, > > Thanks for the heads up, this is nice description. I think it's a good > idea to add this extra line of defense, and a flag to disable it with a big > warning, to give some people the time to upgrade the ability to update the > notebook server without deploying a large change to their infrastructure. > > Thanks ! > -- > Matthias > > On 16 January 2018 at 12:18, Thomas Kluyver <[email protected]> wrote: > >> Google's 'Project Zero' security effort just disclosed a DNS rebinding >> vulnerability in at least one popular Bittorrent client. There's some >> interesting description which helps me understand how it works: >> >> https://bugs.chromium.org/p/project-zero/issues/detail?id=1447 >> https://arstechnica.com/information-technology/2018/01/ >> bittorrent-users-beware-flaw-lets-hackers-control-your-computer/ >> >> First off, I think this supports our decision to have token >> authentication enabled by default, even though it's inconvenient in some >> situations. As I understand it, this should prevent DNS rebinding attacks >> from taking any action that requires authentication. >> >> Second, the fix Tavis Ormandy suggested for Transmission is interesting: >> >> """ >> >> I discussed this with a jannh, I think a good solution would work like this: >> >> * If a connection is over the loopback interface, the hostname must match >> "localhost", >> "localhost.", "127.0.0.1", or "[::1]". This is the same list CUPS uses: >> https://github.com/apple/cups/blob/master/scheduler/client.c#L3752 >> * If a connection is not over loopback, allow any hostname iff auth is >> enabled. >> * If a connection is not over loopback and auth is not enabled, require the >> user to >> create a whitelist of acceptable hostnames (They can specify * if they >> really >> really don't want security). >> """ >> >> Should we look at employing hostname whitelisting in addition to >> authentication, either as an >> extra line of defence or as a convenience for users on localhost? >> >> My leaning would be to do it as an extra line of defence; given how complex >> browsers are and >> the fact that Jupyter is designed to execute arbitrary code, defence in >> depth makes sense. >> >> Thomas >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Project Jupyter" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> To view this discussion on the web visit https://groups.google.com/d/ms >> gid/jupyter/CAOvn4qiNK_CrmtUx9rhwW%3D6zYu8meaPGDKE3C3pS4uhMc >> 742MA%40mail.gmail.com >> <https://groups.google.com/d/msgid/jupyter/CAOvn4qiNK_CrmtUx9rhwW%3D6zYu8meaPGDKE3C3pS4uhMc742MA%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > > -- > You received this message because you are subscribed to the Google Groups > "Project Jupyter" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/jupyter/CANJQusWHdW4Cn8hC4iv_LN3%3DP8pRHdrLYasqmzBL_qwN357iVA% > 40mail.gmail.com > <https://groups.google.com/d/msgid/jupyter/CANJQusWHdW4Cn8hC4iv_LN3%3DP8pRHdrLYasqmzBL_qwN357iVA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- *Damián Avila* -- You received this message because you are subscribed to the Google Groups "Project Jupyter" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/CAH%2BmRR3rU2jaF4UXrAck3ZTwsiC9%2Bin6fqbCbkOzreYGwD-%2BjA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
