On Sat, 18 Jun 2016 04:49 am, Paul Rubin wrote: > The blog post below is from a couple days ago: > > http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html
> The blog post criticizes Redis and Memcached for not using any > authentication (since "safe" internal networks are often not safe) and > makes the interesting claim that even services on localhost should use > authentication these days. That's not quite what they say. They say that the problem is that "trusted internal networks" are often no safer than the Internet and shouldn't be trusted. It does also say: "Even an unauthenticated service listening on localhost is risky these days." but fall short of *explicitly* recommending that they should be authenticated. Although they do *implicitly* do so, by saying that "it wouldn't be hard" for such services to include a password. The author doesn't go into details of what sort of attacks against localhost they're talking about. An unauthenticated service running on localhost implies, to me, a single-user setup, where presumably the single-user has admin access to localhost. So I'm not really sure what "risk" they have -- e.g. I'm sure that I could do all sorts of bad things to localhost by exploiting http services. Or I could just go "sudo rm -rf /" [don't do this at home]. Or whatever evil thing I had in mind. But perhaps they mean a scenario where I'm running a service on localhost and offering it to other users on a local network. In which case it makes sense: trusted internal networks perhaps shouldn't be trusted. -- Steven -- https://mail.python.org/mailman/listinfo/python-list
