On Monday, August 26, 2019 8:41:30 AM MST Christopher wrote: > On Mon, Aug 26, 2019 at 9:08 AM <mcatanzaro@xxxxxxxxx> wrote: > > > > > > > > > Well the thing is, blocknig ports tends to break applications that want to > > use those ports. We're not going to do that, period. It also doesn't > > really accomplish anything: either your app or service needs network > > access and you have whitelisted it (in which case the firewall provides > > no security), or it needs network access and you have not whitelisted it > > (in which case your firewall breaks your app/service). In no case does it > > increase your security without breaking your app, right? Unless you have > > malware installed (in which case, you have bigger problems than the > > firewall). Or unless you have a vulnerable network service installed that > > you don't want (in which case, uninstall it). > > You're creating a false dichotomy. There are plenty of legitimate user > apps that do stupid things that you should restrict with a firewall, > and there's plenty of malware that needs a C&C server via network > access to control it, and whose abilities are limited by firewalls. > > At the very least, the user should *know* that an app requires network > to function... this shouldn't be a surprise to users. It should be > something the UI experience makes them aware of. Microsoft learned > this from commercial firewall applications like ZoneAlarm back when > they finally made the Windows XP firewall enabled in SP2 (both ZA and > XPSP2 alerted users about network access). This is not something that > a Linux distro should be learning 15 later... we should be leading the > charge on secure-by-default... not trailing 15-year old Windows > systems. > > As a user, I *WANT* my applications to break if they are > internet-exposed and I didn't grant them explicit permission to be > exposed. That's what security does. This breakage you're describing is > an essential part of educating users and forcing their participation > in security (which is *everyone's* responsibility). If your concern is > that users won't be able to figure out how to make the choice to grant > access, then you've identified a UI problem... not a problem with the > security defaults. > > > > > > > > So if you want to change the firewall settings, you'd need to completely > > rethink how the firewall works. And nobody seems interested in doing > > that. We could e.g. have a list of apps th at are allowed network access, > > but then we'd need some form of attestation so apps can't impersonate > > each other. So only sandboxed (flatpaked) apps could use this > > hypothetical new firewall. And we surely don't want to have yes/no > > permission prompts, so we can't really ask the user "do you want your app > > to access the network?" (the user will almost always say yes). I'm not > > really sure what design would even work. > > You're effectively arguing: if you can't have perfect security, don't > bother. Security isn't about making a system impenetrable... it's > about putting up barriers... making things difficult for the attacker. > It's an arms race and it always will be. Regarding "yes/no" permission > prompts.... yes, that'd be great.... but maybe make them type the name > of the application, instead of brainlessly clicking "Yes". There are > things that can be done. You're arguing to do nothing. You're arguing > for not bothering with security. If you are right that it doesn't > matter, then why does Fedora Server have different defaults? Clearly > somebody thinks security is important in the Server team... their > reasoning applies just as well to the Workstation product. > > > > > > > > Avoiding unnecessary network services makes more sense. > > > > > > > It's not mutually exclusive. You can do both. > > > ... yes, apps like VNC and Rhythmbox (and any other example of an app > listening on a port) can be better... but the point is that the OS is > a bottleneck for apps which make bad decisions (or fail while trying > to make good decisions)... and the OS shouldn't push security down > into every single app... it should work for the user.... to protect > them against poorly-behaved apps, malware, and sometimes even protect > the user from themselves (such as when OS makes choices to disable > root user by default). > > Fixing the firewall settings in Fedora Workstation is the first thing > I change after a new install. The current default is bad... argued > from bad logic that weakens the security of the OS. > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List > Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List > Archives: > https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx I cannot imagine who approved this firewall configuration. This is broken. This is a critical vulnerability, in my opinion. -- John M. Harris, Jr. <johnmh@xxxxxxxxxxxxx> Splentity https://splentity.com/ _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
