mavit wrote: > Another example is installing plugins. If you can install plugins, you > can run arbitrary code as the user that LMS runs as.
Wouldn't installing malicious plugins involve either putting malicious code into a repository (which seems like a good way to get caught though not a certainty) or having write access to the appropriate directories on the target computer? And if someone with bad intentions has write access to the directories, wouldn't involving HTTP be extra work for no extra reward? I'm curious how many malware authors are targeting HTTP on internal home networks. Is it safe to say that relatively few people are running any kind of server at all on their home networks? And, if the numbers are indeed low, why would HTTP be a tempting target compared to something using a more direct approach? I can't decide if this is a near-complete non-issue or if I'm somehow missing something painfully obvious that I'll eventually regret. Are there currently Bad Things out there in the wild that are taking advantage of insecure home HTTP? I realize that just because there may not be now doesn't mean there never will be, I'm just trying to understand what the current real world risk is. The claim that interfacing with LMS via HTTP may be a serious enough security risk to require mitigation caught me completely by surprise. I'm probably an outlier in that I have several things running internally using HTTP. It's interesting to me that NONE of them, including some pretty hefty stuff like TrueNAS, are using HTTPS for their interfaces. Are the people behind TrueNAS, piHole, LMS and whatever else I can't remember at the moment simply *lazy* or are they reasonably certain that they aren't creating a security risk? I assume there's browser-accessed software out there that uses HTTPS over the home network because someone thought it was worth it, but I have yet to see *any*. (Again, I'm not claiming that's a scientific survey, I just find it interesting.) ------------------------------------------------------------------------ atrocity's Profile: http://forums.slimdevices.com/member.php?userid=16009 View this thread: http://forums.slimdevices.com/showthread.php?t=115292 _______________________________________________ Squeezecenter mailing list Squeezecenter@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/squeezecenter