Trent,

> I'd like to repoint out that mDNS is an *untrusted*, *ad-hoc* source.
>
> if you have something relying on mDNS for any secure operation then THAT
> IS BROKEN, not Avahi.


You are correct. Avahi is inherently insecure, and by design. It is the fact
of having mDNS on the machine at all that is the problem, whether or not any
other services use it. It creates an insecure network overlay that can be
used to communicate with other computers in violation of network security
policies. It is for that reason that it should not be installed by default,
and at the very least should not be a required dependency of the
ubuntu-desktop as it is now.

In the United States, companies are required to segregate and control
information within the company. E.g., human resources, accounting, and sales
should not have access to each other's information except in certain
pre-defined ways that are established by the company's information security
policy. The network administrators go to great lengths to ensure that
information can be shared in accordance with the policy.

For publicly traded companies, or those who have such aspirations,
Sarbanes-Oxley imposes personal liability on corporate officers for
violations of corporate information control policies. For detailed
requirements of the Sarbanes Oxley requirement for information control, see
http://www.isaca.org/Template.cfm?Section=COBIT6&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=55&ContentID=7981.


Avahi permits employees to communicate information outside of the normal
networking channels. Thus, an employee in accounting could grant access to
payroll information to someone in sales, which would be VERY bad and would
contravene standard practices in corporate networks.

I just don't see why we would intentionally install an insecure networking
protocol by default.

Happy Trails,

Loye Young
Isaac & Young Computer Company
Laredo, Texas
http://www.iycc.biz

-- 
SetHostName can be called by users
https://bugs.launchpad.net/bugs/195140
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to