Date: Sat, 05 Jul 2014 14:36:52 +0000 From: "Poul-Henning Kamp" <phk@....freebsd.dk> cc: Marek Kroemeke <kroemeke@...il.com>, Solar Designer <solar@...nwall.com>, oss-security@...ts.openwall.com, varnish-misc@...nish-cache.org Subject: Re: Varnish - no CVE == bug regression I have just read the followup discussion and will add these comments: First of all, if you want an overview of the security design of Varnish, it is here: https://www.varnish-cache.org/docs/trunk/phk/barriers.html Second, since Varnish serves HTTP, a DoS is not something out of the ordinary. It happens all the time to our users, we consider DoS attacks a fact of life. The better we handle them, the better we handle them, but we will never be able to cope with them all, not in a world where Evil botnets or Good authors can point millions of browsers at the same web property in an instant. Third, with respect to "never trusting input": Varnish doesn't. But in some cases we distust with an assert. Either because it is an utterly pathological situation where no sane handling or recovery is possible or because the condition is so rare that our time is better spent improving quality and error handling elsewhere. Fourth, comparisons to root-shells and OpenSSL ciphers ? Really ? Has nobody told you that a bad analogy is like a wet screwdriver ? Fifth, some of you have a really weird definition of "DoS", and since the same people seem very fond of analogies, I'll answer with one: When I say "Varnish trust the backend backend", I mean that it does so because that is its job. The backend is the guitar, Varnish is the PA system. If you plug the guitar cable into 110VAC, you don't expect the PA to generate an 60Hz earthquake, you expect it to blow a fuse. In Varnish that "fuse" is an assert. If, like most PA systems, such abuse left Varnish as an irepairable smoking environmental hazard, *then* I would agree that it constituted a DoS, but the "fuse" in Varnish self-repairs in a fraction of a second, and as soon as you plug a working microphone back in again, Varnish will keep on rocking with you. Would it be better not to blow the fuse ? Sure. Does it matter ? Not really. Sixth, people building CDNs for third party traffic with Varnish had better know what they're doing, since that is (slightly) outside Varnish security and authority design. The CDNs I know about do know what they're doing. (There may be others.) (If there are any questions, please keep me in the CC: I'm not on the oss-sec list). Poul-Henning -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@...eBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ