[mosh-devel] Concerns about mosh's security at the Broad Institute

[C.v.St.]

Two thoughts to things I remember ...

On 08.08.2015 01:33, Hayden Metsky wrote:

> * "Mosh requires opening UDP ports on the Broad perimeter. That makes
>   the Broad network available as a participant in a DDoS performed
>   against external entities, specifically ICMP PORT UNREACHABLE class of

The more ports of a host are not firewalled, the more ports an attacker
can use to send faked packets to, to provoke (e.g.) misdirected 'ICMP
PORT UNREACHABLE' responses to a third party.  So opening more ports
makes somebody unknown elsewhere more vulnerable and makes a 'local
server' machine more suspect. So some people strictly minimize the
number of visible ports to the outside to only a few well known ports.

> * "Mosh is based ... Also
>   the first UDP mosh packet is from client to server. That underscores
>   the fact that there is no way for a firewall to have any control of
>   state."

Some people want their server to have the exact control over whom to
give which port, so want to enforce, that the server(service) decides
the port number, not the initiating user elsewhere, may be this could be
done in mosh, because the newborn server can talk to the client.

If you are behind a stateful firewall, a connection to a port is either
to an officially dedicated and defied port of a service, or must be
opened from the inside to start a connection. Stateful firewalls
otherwise drop the packet assuming stray/erroneous/lost or aggressive
access. Having completely connectionless packages coming in is then
impossible. Mosh client and server could only 'connect', if both sides
start the same connection in parallel from BOTH sides, answering only
after receiving the starter packet, which would have to be recognizable
to the firewall as a beginning mosh session. This on the other hand will
have other new security implications to mosh, so many firewalled systems
may simply forbid mosh and enforce ssh-only, which is TCP and thus
stateful anyway.

Stucki