[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: server and client in one package -> security issue

From: Hartmut Goebel
Subject: Re: server and client in one package -> security issue
Date: Tue, 14 Feb 2017 11:28:32 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0

Am 13.02.2017 um 15:13 schrieb Ludovic Courtès:
> Now, back to the “only install the required software”, I wouldn’t go as
> far as you do.  I generally agree with the rule, but I’m skeptical as to
> what this buys you from a security perspective: users can always install
> whatever they want by hand anyway, and do you have an idea as to how
> much code they install via their browser?

Looks like we are talking about different systems. I'm talking about
hardened systems, esp. servers, where users are not allowed to install
additional software – not even browser add-on.

Yes, even on these systems a skilled person can install any software
he/she wants. But it is much effort and requires more skills – depending
on a lot of parameters – to bring an exploit to the system as if the
exploit is already there since some software including the exploit is
already installed.

Is stress the example with the door of your flat again: For a skilled
person opening a locked door is easy even if there is a pun tumbler lock
[1]. But would you use just a ward key instead, which can be opened by
nearly anybody – and even lay the skeleton key [2] beside the door?

And this what hardening is about: reducing the attack surface and
removing as many tools as a possible.

Is a GNU/Linux distribution separates components sorrowly, its easier to
harden the system, which makes the distribution more attractive compared
to other distributions.


Hartmut Goebel

| Hartmut Goebel          | address@hidden               |
| | compilers which you thought are impossible |

reply via email to

[Prev in Thread] Current Thread [Next in Thread]