trusted apps and trusted networks (was: 5tFTW: Fedora 21, 22, and 19, firewall discussion, and holiday break)
Stephen John Smoogen
smooge at gmail.com
Sun Dec 21 18:27:50 UTC 2014
On 21 December 2014 at 09:45, Björn Persson <Bjorn at rombobjörn.se> wrote:
> Mattia Verga wrote:
> >Since I'm not good to write complex sentences in English, here is a
> >schema that explains how I think firewalld should work as I wrote in
> >the previous post.
>
> A "trusted app" to me would mean that I trust that it's secure enough
> to communicate even on *untrusted* networks. I don't usually trust any
>
That is personal semantics versus actual semantics. You define "trusted" as
X, someone defines it as Y. They may or may not overlap which causes all
kinds of arguments over words versus actual usage.
What Mattia is saying is that you set levels of trust for programs or
acceptance (again another overloaded word that will causes arguments over
definitions).
Program A is 'accepted' or 'trusted' or 'fill in your word here' to work on
network A without intervention. If the system is not on that network then
before Program A can have a port open, it needs the user to determine
whether or not that is allowed.
Program B is not 'accepted' in any white list and so the user needs to be
notified.
I think in the end a firstboot or anaconda module on user security settings
should be put in. In places where the environment is preset up, it can be
turned off easily in kickstart or a boot time flag.
User A wants to be notified of all programs opening ports even if he is
going to whitelist them.
User B does not want to be notified and could care less about security.
etc.
> network, but in the rare cases when I do, I'll let any bug-ridden junk
> communicate because I'm confident that there isn't anything on the
> network that will exploit any security holes. If Gnome-user-share (your
> example) can't be trusted on untrusted networks, then including it in a
> "trusted app list" seems very wrong. Since you didn't even give the user
> an option to allow Gnome-user-share to communicate on the untrusted
> network, your list seems more ĺike a list of known defective apps.
>
> --
> Björn Persson
>
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
>
--
Stephen J Smoogen.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20141221/eaaeb1f2/attachment-0001.html>
More information about the devel
mailing list