netwrk sniffers and localhost

Charles Curley charlescurley at charlescurley.com
Mon Oct 1 20:15:33 UTC 2007 

On Mon, Oct 01, 2007 at 02:45:30PM -0500, Aaron Konstam wrote:
> This may be an off the wall question but here goes. When you bring up
> the cups web interface ans choose to administer your printers, you are
> asked to login with a username and passwd. Usually it is the name root
> and roots passwd that works.
> 
> Let us say some one has a network sniffer on another machine on your
> LAN. Since the root passwd your type is going to localhost network it
> should be handled by the loopback interface.
> 
> Is it? And if that is so can a sniffer on the LAN see the passwd
> entered?

What is the URL that gets you to the CUPS IF? Mine is
http://localhost:631/, do in my case, yes, it is localhost. If your
name resolution is set up correctly, that should point to the local
loopback device:

[root at dragon ~]# host localhost
localhost has address 127.0.0.1
localhost has IPv6 address ::1
[root at dragon ~]# ifconfig lo
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:19437 errors:0 dropped:0 overruns:0 frame:0
          TX packets:19437 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:4729638 (4.5 MiB)  TX bytes:4729638 (4.5 MiB)

So, yes, it should go to the local loopback device (LLD).

The whole point of the LLD is that it never goes to the network. With
a properly written LLD, a packet should go to the IP level of the
TCP/IP stack. The LLD's IP code simply swaps the source and
destination addresses and ports, and hands the packet back to the
appropriate higher level protocol (ICMP, TCP, UDP, etc.). (I haven't
looked at the source for Linux's LLD, but that's basically what the
one I wrote did.)

So if the LLD is properly written, a sniffer on another machine should
never see any packets to or from a LLD.

As you probably know, the X protocol uses TCP/IP to communicate
between clients (programs) and servers (displays, keyboards,
etc.). Think of the security implications when X traffic doesn't
travel over the loopback device. A cracker who can scarf your X
packets could watch you compose mash notes to your secretary on
company time in real time. Not very secure! This is one of several
reasons the normal "xhost" authentication is deprecated in favor of
SSH. So, yeah, the TCP/IP security folks have already thought of this
question.

-- 

Charles Curley                  /"\    ASCII Ribbon Campaign
Looking for fine software       \ /    Respect for open standards
and/or writing?                  X     No HTML/RTF in email
http://www.charlescurley.com    / \    No M$ Word docs in email

Key fingerprint = CE5C 6645 A45A 64E4 94C0  809C FFF6 4C48 4ECD DFDB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20071001/e77907bb/attachment-0001.sig>

More information about the fedora-list mailing list