[icecast] a new directory service

Ethan Butterfield primus at veris.org
Mon Sep 17 22:03:15 UTC 2001 


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, Sep 17, 2001 at 01:59:03PM -0700, rillian wrote:

> Unfortunately, anything more secure requires a shared secret, and thus 
> and ssl-connection over which to send it. 

Not necessarily. There's always public-private key encryption, which 
wouldn't be too hard to implement. Of course, now we run into the trust 
problem of receiving a server key over the Internet and all, but that's 
just being pedantic and not appropriate for this discussion.

> For example, running the 
> contents of the update through the hash in addition to the password 
> would let the server verify each update directly and block replay 
> attacks. Of course, this assumes the connection in between is more 
> vulnerable than the server and/or the client's machine, so perhaps in 
> practice it's so much better. Still, I think it's worth trying to do 
> this right.

I'd love to see the backend connection to the directory server being 
run through an SSL tunnel. Not being a programmer, though, I don't know of 
the scope of effort it would take to implement that. Something for Jack to 
answer.

The real question comes down to this: What is the value of the data we're 
trying to protect? Conceivably, someone could hijack the connection and 
send false data back to the directory server. Maybe just mess with your 
listing, maybe a form of DoS. Perhaps you might be able to inject 
something that would mess with the directory server itself. I think, 
though, that if that were the case, you'd be able to break things even if 
it was running over SSL. Sure, I'd rather have everything encrypted. 
Whether or not that's feasible, though...

- -- 

 "Nothing's the same anymore."
     - Cmdr. Jeffrey Sinclair, Babylon-5, "Chrysalis"
-----BEGIN PGP SIGNATURE-----
Comment: For info see http://www.gnupg.org

iD8DBQE7pnMiAmwSMwnpLHgRAj0JAKCfwPVMqe3zJea+UzhFMtZRPUNycACdFAVq
xzbqgDCHieyMTBwLQJF0mLk=
=vRxC
-----END PGP SIGNATURE-----

--- >8 ----
List archives:  http://www.xiph.org/archives/
icecast project homepage: http://www.icecast.org/
To unsubscribe from this list, send a message to 'icecast-request at xiph.org'
containing only the word 'unsubscribe' in the body.  No subject is needed.
Unsubscribe messages sent to the list will be ignored/filtered.

More information about the Icecast mailing list