[icecast] a new directory service
Jack Moffitt
jack at xiph.org
Thu Oct 18 03:43:48 UTC 2001
> #2 To Jack.. Anyone who has an interest in promoting their station above
> others has an interest in this. If they can either (as currently) lie
> about listener counts to rocket to the top of the list, or (in a listener
> count-less system) do something like hijack or fake out other connections
> to say.. blank out the correct URL, or update the server with meaningless
> data, they'll do it.
Performing a man-in-the-middle attack is quite difficult, certainly out
of the range of many broadcasters. Maybe some one could do it, but it's
easily noticeable.
The chances of someone sucessfully attacking a target of their choice is
quite slim in this system, unless they can assume control of the server
machine or assume control of the source machine. In either of those
situations, it would matter little what security method was used.
The chances of randomly finding an attackable server (say by sniffing on
your dorm network) is also slim. If this becomes a practical problem,
there are certainly practical solutions. We can address it when we get
there.
If changing data on your own stream is easy (which it always is) and it
affects your listing, people will do it; I agree with you. There is
little incentive (besides random mischief) to alter others. And doing
so is sufficiently difficult for practical purposes and so I feel this
is an effective measure. It's certainly far improved from what's being
commonly used now, and if needed, we can add more.
Public keys are not really as easy to use as everyone would like. If
needed it can be done. And I have no doubts that at some point
something like this will get in there, but there's little reason to do
so right now.
But like I said, these decisions and thoughts are based on common
scenarios, both that I've seen happen, and that I have figured out on my
own. Preventing those scenarios is my goal, not absolute security.
If you think there are scenarios that aren't being considered, or you
feel strongly that sniffing attacks are sufficiently dangerous, then by
all means speak up :)
But I feel that for now we have 'enough' for current purposes. We can
always change the amount.
jack.
--- >8 ----
List archives: http://www.xiph.org/archives/
icecast project homepage: http://www.icecast.org/
To unsubscribe from this list, send a message to 'icecast-request at xiph.org'
containing only the word 'unsubscribe' in the body. No subject is needed.
Unsubscribe messages sent to the list will be ignored/filtered.
More information about the Icecast
mailing list