Re: [DNSOP] Status of "let localhost be localhost"?

Ted Lemon <> Wed, 16 August 2017 12:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8C1B113219C for <>; Wed, 16 Aug 2017 05:58:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 16Yw2MSNr2La for <>; Wed, 16 Aug 2017 05:58:54 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c0d::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 040991326B0 for <>; Wed, 16 Aug 2017 05:58:53 -0700 (PDT)
Received: by with SMTP id 16so20123072qtz.4 for <>; Wed, 16 Aug 2017 05:58:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=w5GZyebJPLftskvpd0cOcbEEAB1cNYdXGepHDRuvClg=; b=poDDCR1OU6BZaNZl13ydLJ11xnYy8aOdR5ctBt16p4KbyaZI0tJjNqYDy52i2K0XI3 BgOzpeCwEt8CFLi3BESPYnTy5m5c6Xw/+IuXiYsLDWcCqh9fWTi5KW7EAEiT67NqRT8R 0mJ42WNA7WNsVy7Ky80f/UjCjtHWWOy97wX1Oy1dpdXTpdFfLp+OloLF7LwpOmydtX63 p3DTrLts9lNepTVZ5/qrC5cQtl0fFHvkoUiMJoYx8I0gL2F1B5wc0SD/HHup+Ui5RG6V yaAB2Z8DvHYBE046f/gC+/6pI1096SxbgUp70brgK30H7qU6OpaQdckrPfS8A4Ijcc9l 2LKA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=w5GZyebJPLftskvpd0cOcbEEAB1cNYdXGepHDRuvClg=; b=MZlB3pDisytQfYYRl2n38aXefcEgAeBiNtFFrW/n/AXkqdl1NS1vl68T3avlcp8GgA Boh6nq/Y33WuQZz4+rXx5NuhKBp7aUX4vba1Rcvpc2jf/34dAIgqLTaA7YdvblBzT3Nw 9xVbejTuRfgx7cvTaHhz9rd5/WuA6ZcvD/hlcVHE4wgSrdm+pUSCbeugR2Kr9PjfomG9 n201tVhipngukWvBLuG3G2GOaPgVi+UW3LaxyxYn+AhrPex3gtyQhNYhGmU2mmglDKZS RVwK46aGX9PFk/SiGODKRYbnA9OAR7e88dCGwZ0qnuoQIKRfNVEuXkGpq3M4YoOtCDmQ VG8w==
X-Gm-Message-State: AHYfb5g71dKKfEFtGSiDUzBhvU8O8fd25YhUT87kEEuyTBAyOjxkd9su zz+6j/bQJ3l53FUa
X-Received: by with SMTP id c5mr2285478qtb.51.1502888333061; Wed, 16 Aug 2017 05:58:53 -0700 (PDT)
Received: from cavall.ether.lede.home ( []) by with ESMTPSA id k74sm506666qkh.41.2017. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 16 Aug 2017 05:58:52 -0700 (PDT)
From: Ted Lemon <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_6977D51C-00B6-4337-B95E-2AA71607E1B8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Wed, 16 Aug 2017 08:58:51 -0400
In-Reply-To: <>
Cc: dnsop <>, Tony Finch <>, Mark Andrews <>
To: Mike West <>
References: <20170812170958.14197.qmail@ary.lan> <> <> <> <> <> <> <> <> <>
X-Mailer: Apple Mail (2.3273)
Archived-At: <>
Subject: Re: [DNSOP] Status of "let localhost be localhost"?
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 16 Aug 2017 12:58:56 -0000

El 16 ag 2017, a les 6:17, Mike West <> va escriure:
> In the commit linked above, I've adopted the second and third paragraphs with minor wording changes. It's not really clear to me where the crux of the first paragraph lies. IMO, malware is pretty clearly out of scope for software's security decisions, as anything running on the local machine with privilege equal to (or exceeding!) your own is basically impossible to defeat. Are there scenarios in which you think that's not the case, at least insofar as this draft is concerned?

That's why I mentioned sandboxing.   A process running on the local host, inside a sandbox, listening on a local port, could be reachable by processes that aren't sandboxed, or are running in other sandboxes.   So trusting localhost provides a way for a sandboxed process to screw you, basically.   I don't know how serious a threat this is, but I think the idea that the set of trust zones on a single host is flat is not valid, and that's why I actually don't think that, even with this document published and in wide use, "localhost" should be considered trustworthy.

A slightly less vulnerable approach would be to allow reserved ports on localhost to be trusted, but to not trust other ports, on the basis that something that can get a reserved port has privileges.   This is still questionable, since a trusted sandboxed app could be compromised, but it's at least a smaller attack surface.