El 16 ag 2017, a les 6:17, Mike West <mk...@google.com> va escriure: > In the commit linked above, I've adopted the second and third paragraphs with > minor wording changes. It's not really clear to me where the crux of the > first paragraph lies. IMO, malware is pretty clearly out of scope for > software's security decisions, as anything running on the local machine with > privilege equal to (or exceeding!) your own is basically impossible to > defeat. Are there scenarios in which you think that's not the case, at least > insofar as this draft is concerned?
That's why I mentioned sandboxing. A process running on the local host, inside a sandbox, listening on a local port, could be reachable by processes that aren't sandboxed, or are running in other sandboxes. So trusting localhost provides a way for a sandboxed process to screw you, basically. I don't know how serious a threat this is, but I think the idea that the set of trust zones on a single host is flat is not valid, and that's why I actually don't think that, even with this document published and in wide use, "localhost" should be considered trustworthy. A slightly less vulnerable approach would be to allow reserved ports on localhost to be trusted, but to not trust other ports, on the basis that something that can get a reserved port has privileges. This is still questionable, since a trusted sandboxed app could be compromised, but it's at least a smaller attack surface.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
