There's a free certificate authority coming this year, I think privacy
and security are hot topics these days: https://letsencrypt.org/
Just a quick note about something I'm currently exploring.
The good thing about River is it allows you to be mostly ignorant of
security when developing services and clients and then later using
configuration, secure services and clients.
River is secure for the following scenario:
* One entity / company is reponsible for the lookup service,
services and clients.
* Secure Discovery v2 is used.
* Codebase Integrity and TLS / SSL Endpoints.
* Authentication of services and clients is required.
Where River is not secure:
* More than two entites / companies interact using lookup services,
services and clients.
* Secure discovery v2 is used.
* Codebase Integrity and TLS / SSL Endpoints.
Why isn't it secure, what's vulnerable?
Well we know the sandbox isn't secure against DOS, but what about
Serialization ObjectInputStream and using only local code?
Well that's not secure either.
Lets for a moment pretend that it is, what are the benefits?
We could use simple proxy services from a trusted lookup service, for
example, without code downloads as trust is easily established.
We could define an interface for obtaining smart proxy's from bootstrap
proxy's, register the bootstrap proxy with entries on a lookup service.
We can prevent unauthorised code downloads with DownloadPermission using
the right PreferredClassProvider.
This would allow clients to obtain the boostrap proxy first,
authenticate it, grant DownloadPermission to it, then use the smart proxy.
Anyway out of time right now, to be continued...
I'm presently investigating deserialization security and trying to fix
another annoying River concurrency bug, these always seem to pop up when
you're in the middle of something, taking days off the actual project.
Regards,
Peter.
