Saikat Guha wrote: > On Tue, 2006-07-18 at 21:24 -0300, Ivan Arce wrote: >> Why do I distrust UDP for security-sensitive applications? > > Hang on. We are talking about "real security" and not good-old > plain-text security world right? > > Security needs to be end-to-end. Choice of transport protocol doesn't > matter. e2e101.
Choice of transport defines a lot of things, among them how much more effort you'll need to achieve "real security". Also I don't know why you assume that "good-old plain-test" is not "real security". It all depends on your requirements and the risk/threats you are willing to assume in a particular application. In this particular case, the original post was related to VoIP. IMHO the single most important factor for a VoIP application to work well is how it deals with latency and latency variations (not throughput or congestion) and that's why I liked David Barret's rationale for UDP. > > Email security is in your PGP/SMIME signature; doesn't matter whether it > was transferred over UDP or TCP. You can come up with similar arguments > for P2P apps. > > Of course if you are willing to trade off real security for > implementation ease (laziness?), then thats a different issue. Erhm not necessarily, I could choose IPv6 or IPSEC and off-load a lot of work to a lower layers (but I still need to know what the hell I am doing so I don't shoot myself in the foot) Anyway, my point is: No, all transports are not the same. You need to be careful when you pick one and understand the implications. Many applications pick UDP but then choose not to address the security implications or in doing so they fail miserably. -ivan -- "Buy the ticket, take the ride" -HST Ivan Arce CTO CORE SECURITY TECHNOLOGIES http://www.coresecurity.com PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A _______________________________________________ p2p-hackers mailing list [email protected] http://lists.zooko.com/mailman/listinfo/p2p-hackers
