river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Hobbs <tvho...@googlemail.com>
Subject Re: Towards Internet Jini Services (dos attacks) Smart Proxy Isolation
Date Mon, 04 Oct 2010 10:08:09 GMT
>  Because it's possible and will improve security, I think we should
> investigate it further, this could allow us to unmarshall the proxy and
> determine trust without changing the Jini Service model.  There's still
> Service UI to consider too, but that happens after determining trust.  We
> need to be immune to DOS attacks during the period we're trying to determine
> trust.
>

I don't want to discourage anyone from doing anything, but I find this
concerning.  To my mind, something should either be 100% secure; like
operating systems are (supposed to be), or there should be a clear "download
and run at your own risk".  Things we pay for (buying stuff off the
internet, online banking, hosted services etc) are supposed to be secure and
there are clear SLAs describing what happens if it's not.  Everything else
you download is very much "on your own head, be it".

What I'm getting from these recent discussions is broadly this;

- "We can protect against this kind of threat, but not that one."
- "We can't protect, at all, against this other kind of thread."
- "We can mitigate the consequences of this kind of thread."

And that's only for the kinds of things we can think of.  I agree with Sim
on this one, it feels like we're creating a false sense of security.  The
danger I see in this is that people will either;

1) See our security designs, see that they're incomplete and announce that
"River is insecure".
2) See our secuirty designs, miss what they do and do not provide, and
announce that "River is bullet-proof".

Both of these statements are wrong and both are dangerous.  I'm still of the
opinion that we can provide secure services through trust (that's a
lower-case, none Computer Science "trust") and not through code.  If,
typically, people get their proxies from some kind of "app store" that they
trust, the community can make sure that only trusted services can get onto
the "app store".  If you want to use a less-known and maybe less trust
worthy "app store" then that's up to you.

I'm leaning towards programmatic security being an all-or-nothing affair.
 Since it appears that we can't protect against everything; I'm reminded
that we can lock and bolt the door as much as we like, but if we leave our
Windows unsecure (ha ha) then the bad guys will still get in.

Tom

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message