Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <44356.1404571012@critter.freebsd.dk>
Date: Sat, 05 Jul 2014 14:36:52 +0000
From: "Poul-Henning Kamp" <phk@....freebsd.dk>
cc: Marek Kroemeke <kroemeke@...il.com>, Solar Designer <solar@...nwall.com>,
        oss-security@...ts.openwall.com, varnish-misc@...nish-cache.org
Subject: Re: Varnish - no CVE == bug regression

I have just read the followup discussion and will add these comments:

First of all, if you want an overview of the security design of
Varnish, it is here:

	https://www.varnish-cache.org/docs/trunk/phk/barriers.html

Second, since Varnish serves HTTP, a DoS is not something out of
the ordinary.  It happens all the time to our users, we consider
DoS attacks a fact of life.  The better we handle them, the better we
handle them, but we will never be able to cope with them all,
not in a world where Evil botnets or Good authors can point millions
of browsers at the same web property in an instant.

Third, with respect to "never trusting input":  Varnish doesn't.
But in some cases we distust with an assert.  Either because it is
an utterly pathological situation where no sane handling or recovery
is possible or because the condition is so rare that our time is
better spent improving quality and error handling elsewhere.

Fourth, comparisons to root-shells and OpenSSL ciphers ?  Really ?
Has nobody told you that a bad analogy is like a wet screwdriver ?

Fifth, some of you have a really weird definition of "DoS", and
since the same people seem very fond of analogies, I'll answer with
one:  When I say "Varnish trust the backend backend", I mean that
it does so because that is its job.  The backend is the guitar,
Varnish is the PA system.  If you plug the guitar cable into 110VAC,
you don't expect the PA to generate an 60Hz earthquake, you expect
it to blow a fuse.  In Varnish that "fuse" is an assert.  If, like
most PA systems, such abuse left Varnish as an irepairable smoking
environmental hazard, *then* I would agree that it constituted a
DoS, but the "fuse" in Varnish self-repairs in a fraction of a
second, and as soon as you plug a working microphone back in again,
Varnish will keep on rocking with you.  Would it be better not to
blow the fuse ? Sure.  Does it matter ?  Not really.

Sixth, people building CDNs for third party traffic with Varnish
had better know what they're doing, since that is (slightly) outside
Varnish security and authority design.  The CDNs I know about do
know what they're doing.  (There may be others.)

(If there are any questions, please keep me in the CC: I'm not
on the oss-sec list).

Poul-Henning

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@...eBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.