Pavel Simerda wrote: > On Sat, 23 Aug 2008 20:37:58 +0200 > Dirk Meyer <[EMAIL PROTECTED]> wrote: > >> Dirk Meyer wrote: >> > Pavel Simerda wrote: >> >> On Sat, 23 Aug 2008 18:21:38 +0200 >> >> Dirk Meyer <[EMAIL PROTECTED]> wrote: >> >>> UPnP is a working choice, but bad. Just google for it. >> >> >> >> I know what UPnP is. >> > >> > I mean: google why it is a bad choice :) See below >> >> This is a good doc: >> http://www.gnucitizen.org/blog/hacking-the-interwebs/ >> >> Automatic access to something without password is a very bad >> idea. That is why I want certificates for all my bots. I would have no >> problem with a bot on my router opening ports for other bots that have >> a valid certificate. > > There is a difference between a password and a key.
Sure. I want my bots to have a certificate, but using a key is as good as that for me. But IMHO there should be something. UPnP has no security; no keys, no certificates. > There is a difference between a symmetric croptography key and a > pair of public/private keys for asymmetric cryptosystems. I know that. > There is a lot of places where automatic access (read or even write) > without a password (or key) is appropriate. Yes, but not when it is about changing the dns server of the router. > These general statements about security are usually false (there is > almost always a bunch of cases where it doesn't do any good). What general statements? Maybe you missunderstood what I wanted to say: I wanted to say that I do not like the fact that UPnP has no security and that everything in my LAN can configure my router because of it. I wanted to have certificates for my bots doing that. Dirk -- When someone says, 'do you want my opinion?' - have you noticed that it's always a negative one.
