On 04/10/02 10:21 -0400, Paul D. Robertson wrote: > On Fri, 4 Oct 2002, Devdas Bhagat wrote: > > > > (A) Project history- Postfix and Qmail have held up well, proftpd erm, > > > hasn't. I haven't followed the other two, since FTP is on my list of "Horribly > > > broken protocols I'll never support." > > I'll agree wuith this. Proftpd has not had a showstopping bug except for > > a DOS due to globbing (IIRC). There have been minor bugs, but none of > > Just after Flood dropped the project I seem to recall a spate of exploits, > one after another[1]. Looking back, I count 3 definite root exploits, a > couple of other issues that'd make me not want to put it in a hostile > environment. Aaah, I picked it up after the bugs were fixed. Not before that. Wasn't required to (senior people were happy wuith wu-ftpd). > Personally, I'd have looked at one I hadn't run before, or the BSD one, > which has only had a couple of issues in the last few years, and I don't > think any of them were unique to that instance. I had very little experience then. Have a little bit more now. > > them were the security kind. > > I haven't runa ftpd for quite some time, and when I was looking (about > > Nov/Dec 2000), proftpd was the best choice due to its easy config and > > relative security. Current status is a wholly differnt issue. > > Personally, I'd look elsewhere given the history (and that's not saying it > hasn't been fixed, it's saying I don't trust the original goal of security > in the design given it's lack of compliance with that goal.) I'll give > you "easy to config," bedause it met that goal quite well, but in Nov of > 2000, it was just done with a raft of expliots, bugs and a change of > maintainership- none of them particularly confidence insprining in my > opinion. Didn't know that at that time. I'll admit to being guilty on that count. > > > (B) Look at the code. > > This always works, but its a question of time on the security people's > > part. > > Yes, but if you never do it, you'll never get time budgeted for it. I > used to do per-protocol risk assessments for weeks before allowing or > disallowing anything new- sometimes it wasn't overly necessary, it was > *obvious* that the answer was going to be no, but doing some of those > anyway got the organization in tune with "new stuff takes weeks of > examination." Not in todays world in a whole lot of places. Seems like marketing drives the whole system. Sad but true. > > > > (C) Developer history. > > Good stance to go by for first filtering. > > People used to grep for "Vixie" to find exploits. Sad, but true. I know. I saw a few posts somewhere for Bind 9's security saying that. > > > (D) Developer's understanding of the protocol and its weaknesses. > > Difficult to judge rapidly. Since the weaknesses are usually at the > > boundaries. Also, the developers understanding of the language used. > > In that case use it in reverse, add points to those who can and do > articulate it well. You need to know what the developer says/does. Ahem.... DJB. [OT] Can we please follow the LKML rule that if there is no specific request for an offlist reply, then the reply should go only to the list? I am on the list. Devdas Bhagat. _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Fri Oct 04 2002 - 09:30:28 PDT