undefined | Better HN

0 pointspeterwwillis8y ago0 comments

Oh I'm sure it was bug ridden. But even if my feature introduced a security hole, you would have to find and exploit it, and it would then have to find a way to attack the rest of the app (which qmail makes difficult).

It's kind of like using OBSD as your app platform. You can definitely make it insecure! But it's more secure by default than others, perhaps because of a lack of features, as well as very good security design.

0 comments

irundebian8y ago

Are you sure that you understood djb's statement about the principle of least privilege? It's not about attacking the rest of the app, but about violating the user's security requirements.

peterwwillisOP8y ago

I don't understand what this has to do with my comment.

irundebian8y ago

> it would then have to find a way to attack the rest of the app (which qmail makes difficult).

It's not necessary to attack the rest of the app as soon as user's security requirements are violated. So if an attacker had been able to have an impact on confidentiality, integrity or availability because of your masquerading patch, user's requirements would have been broken. For an impact on availability controlling control flow isn't necessary, you just need to crash components.

peterwwillisOP8y ago

Yes, you are right. An exploit is still viable even if it doesn't attack other parts of a system.

My point was that with a default of secure design, even small exploits added via plugins are better defended against than my alternative option, which was sendmail (i'm sure Exim wouldn't have been quite as horrible as sendmail, and Postfix wasn't quite mature yet).

j / k navigate · click thread line to collapse

0 comments

irundebian8y ago

Are you sure that you understood djb's statement about the principle of least privilege? It's not about attacking the rest of the app, but about violating the user's security requirements.

peterwwillisOP8y ago

I don't understand what this has to do with my comment.

irundebian8y ago

> it would then have to find a way to attack the rest of the app (which qmail makes difficult).

peterwwillisOP8y ago

Yes, you are right. An exploit is still viable even if it doesn't attack other parts of a system.

j / k navigate · click thread line to collapse