Bj�rnke von Gierke wrote: > On Dec 01 2004, at 11:02, sims wrote: >> I'm curious about what security concerns that a chat (or sockets in >> general) might open up for the user and what (if any) precautions >> need to be taken. > > This of course varies with the implementation, but talking about > chatrev, I can assure you that there is no security risk whatsoever > for the client. This is mainly due to the fact that the client never > opens a port.
How does it create a socket connection without opening a port?
> However this is about to change, as we are incorporating file > transfer (Which needs a accept connection at one end). Still, > the opened port is occupied by rev and closed swiftly after > finishing transfer, and because of that you won't get any > malicious attempt trough.
I'm no security expert, and this may be just a case of my own ignorance getting the best of me, but for my own wares I would be very careful about offering such broad assurances for anything involving network software. Maybe "unlikely to" is more accurate than "won't".
Anytime one computer talks to another there are at least two risks:
- One of the computers may be in the hands of someone with malicious intent
- While in transit the data may be intercepted by a malicious third party
The beauty of TCP is that it's a ubiquitous standard that's been around for a long, long time, so everyone uses it and all tools can be interoperable with it.
The downside of its ubiquity and maturity is that there are people out who devote a sad majority of their lives to mastering TCP specifically to destroy other people's constructive activity. Most of those misanthropes are far smarter than me, and have a deeper knowledge of TCP and its implementations across operating systems than I'll ever have.
I believe that absolute security is not achievable, and that the best we can aim for is to slow down exploits. That's no so bad, and is good enough for businesses and even governments to go about their business more productively than without software.
But I would be wary of giving people the impression that a software provides absolute security. Instead, communicating what it does to protect itself may be all that's needed for the user to make their own risk assessment.
-- Richard Gaskin Fourth World Media Corporation ___________________________________________________________ [EMAIL PROTECTED] http://www.FourthWorld.com
_______________________________________________ use-revolution mailing list [EMAIL PROTECTED] http://lists.runrev.com/mailman/listinfo/use-revolution
