river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Firmstone <peter.firmst...@zeus.net.au>
Subject Security
Date Wed, 04 Feb 2015 14:07:29 GMT
There's a free certificate authority coming this year, I think privacy 
and security are hot topics these days: https://letsencrypt.org/

Just a quick note about something I'm currently exploring.

The good thing about River is it allows you to be mostly ignorant of 
security when developing services and clients and then later using 
configuration, secure services and clients.

River is secure for the following scenario:

    * One entity / company is reponsible for the lookup service,
      services and clients.
    * Secure Discovery v2 is used.
    * Codebase Integrity and TLS / SSL Endpoints.
    * Authentication of services and clients is required.

Where River is not secure:

    * More than two entites / companies interact using lookup services,
      services and clients.
    * Secure discovery v2 is used.
    * Codebase Integrity and TLS / SSL Endpoints.

Why isn't it secure, what's vulnerable?

Well we know the sandbox isn't secure against DOS, but what about 
Serialization ObjectInputStream and using only local code?

Well that's not secure either.

Lets for a moment pretend that it is, what are the benefits?

We could use simple proxy services from a trusted lookup service, for 
example, without code downloads as trust is easily established.

We could define an interface for obtaining smart proxy's from bootstrap 
proxy's, register the bootstrap proxy with entries on a lookup service.

We can prevent unauthorised code downloads with DownloadPermission using 
the right PreferredClassProvider.

This would allow clients to obtain the boostrap proxy first, 
authenticate it, grant DownloadPermission to it, then use the smart proxy.

Anyway out of time right now, to be continued...

I'm presently investigating deserialization security and trying to fix 
another annoying River concurrency bug, these always seem to pop up when 
you're in the middle of something, taking days off the actual project.



View raw message