open secure socket... using certificate

Richard Gaskin ambassador at fourthworld.com
Tue Feb 2 17:52:38 EST 2021


If the goal were point-scoring gotchas, that I frequently advocate 
industry best practices for security redundancy might indeed seem out of 
place here. I am normally a belt-and-suspenders kinda guy, and I make no 
apologies for it.

Those redundancies usually come up in discussions about exposing 
databases directly to the open Internet, as opposed to doing the common 
thing of putting a script between the DB and the connection (which 
affords the added benefit of allowing us to craft a nice API to help our 
client dev work move forward more smoothly as well).

The distinction is how common the practice is. We see that most systems 
put a script in front of their DB.  And we see that most use localhost 
sockets without SSL.

I'm not inventing any of this. I don't hold an CISSP cert, and I don't 
manage most of the world's projects. I just see what I see, share what I 
see, and where I don't understand something I'll ask, like I did here 
seeking a use-case where the benefit of slowing every socket comm down 
with encryption and decryption provides a benefit not immediately undone 
the moment the data is at rest.

I still hold that there might be a good use case, but after a brief 
search on this I was unable to find one, and none has emerged yet even here.

In your original post describing this system, you emphasized that LC 
multiprocessing is being used to find the fastest way to handle the data 
flow.  We generally accept a tradeoff between utility and security, but 
as with so much of life tradeoffs work best when evaluated for the case 
at hand.

If a user's machine is hosed, it's hosed.  If we look for guidance on 
that from better minds than mine, we can review the practices of leading 
app and OS vendors. Address space layout randomization may be a good 
example of how an OS vendor can mitigate risks in compromised machines, 
but the same OS vendors employing it don't also recommend app devs add 
their own address randomization at the app level. Maybe app devs should? 
Maybe OS vendors are lax?

The deeper we go down the rabbit hole of protecting systems, the more 
challenging it gets.  At a certain point -- a somewhat shallow point, I 
don't mind admitting -- I'm happy to leave the deep thinking to 
specialists and just follow common practice.  If I happen to see a risk 
that common practice doesn't cover, I'll cover it as I go.  But even 
though we have Stuxnet to remind us of the impact of unanticipated 
consequences from design decisions, if I don't have a specific threat 
vector in mind AND it's not a common practice, odds are I'll skip it.

I admit I'm far less of a programmer than the minds behind Stuxnet. And 
since most of the world is, I'm okay with that.

Security awareness is good, and redundancy common. But where a 
redundancy is both uncommon and provides little benefit not undone 
easily elsewhere in the system, I'll often skip it.

And when the house is on fire, I'm not sure it's a service to the 
homeowner to help maintain the illusion that their house isn't on fire.

-- 
  Richard Gaskin
  Fourth World Systems



Tom Glod wrote:

 > Hhahah Richard, that was hilarious. :D Given I've given you next to no
 > info on the use case, I understand why it may seem overkill, and maybe
 > it is.
 >
 > A wise person once told me .... and I'm paraphrasing..... " you can't
 > prevent everything ....so the task at hand is to make things harder
 > and take longer."  That person was you.
 >
 > So would it make it harder to steal data if data transport between 2
 > decoupled processes was encrypted? you bet.
 >
 > Thanks for giving me food for thought...and I will triple check to
 > make sure its necessary. :D
 >
 >
 > On Mon, Feb 1, 2021 at 6:16 PM Richard Gaskin wrote:
 >
 >> Tom Glod wrote:
 >>
 >>  > Richard,
 >>  >
 >>  > Lets say one of my users is targeted by a hacker and they manage
 >>  > to install a malware process on their system that will capture all
 >>  > the data flowing between the 2 processes.
 >>  > Then they do not need to be sitting in the victim's chair.
 >>  > But if the data was encrypted, this wouldn't matter.
 >>
 >> True, that one aspect of your program wouldn't matter.  But since
 >> everything else on the system is now hosed, does anything matter?
 >>
 >> To my ear it sounds like a planning committee meeting for a zoo in
 >> which they're deciding on the steel thickness of armored suits they
 >> require visitors to wear because tigers are running loose, while
 >> the whole facility is on fire. I'm in the back of the room raising
 >> my hand asking if we might just put the tigers back in the cage.
 >> After we put out the fire. :)
 >>
 >> In the scenario you described, what prevents the bad guy from reading
 >> the data at rest? Or keylogging? Or replacing either or both of the
 >> executables you delivered? Or anything else they might do once they
 >> have that level of control throughout the system?
 >>
 >> --
 >>   Richard Gaskin
 >>   Fourth World Systems






More information about the use-livecode mailing list