From fb38811b10dd457896289f4d677391b488e964ba Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Thu, 12 Apr 2018 13:59:43 +0100 Subject: [PATCH 6/9] spec: Describe the security properties of nonce-tcp in terms of tcp Signed-off-by: Simon McVittie --- doc/dbus-specification.xml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/doc/dbus-specification.xml b/doc/dbus-specification.xml index 7f2933bf..fa285323 100644 --- a/doc/dbus-specification.xml +++ b/doc/dbus-specification.xml @@ -3810,6 +3810,32 @@ the higher-level authentication mechanisms described in the Authentication section. + + The nonce-tcp transport is conceptually similar to a combination + of the DBUS_COOKIE_SHA1 + authentication mechanism and the + tcp transport, + and appears to have originally been implemented as a result of + a misunderstanding of the SASL authentication mechanisms. + + + Like the ordinary tcp transport, the nonce-tcp transport has no + integrity or confidentiality protection, so it should normally + only be used across the local loopback interface, for example + using an address like tcp:host=127.0.0.1 or + tcp:host=localhost. Other uses are insecure. + See for more + information on situations where these transports have been used, + and alternatives to these transports. + + + Implementations of D-Bus on Windows operating systems normally + use a nonce-tcp transport via the local loopback interface. + This is because the + unix + transport, which would otherwise be recommended, is not + available on these operating systems. + On start, the server generates a random 16 byte nonce and writes it -- 2.17.0