.why .it’s .time .to .fix .localhost

We were recently asked to comment on a suggested new internet standard proposed in a document with the intriguing title Let ‘localhost’ be localhost.

At first glance, we assumed this would either be humorous, like the many internet RFCs dated 01 April, or benignly pedantic…

…but we investigated anyway (pedantry may be unpopular, but that is often because it is righteously correct and annoyingly important).

Here’s what the story is all about.

You’ve probably heard of DNS, short for domain name system – in technical terms, it’s a redundant, distributed, dynamic, hierarchical database responsible for telling you which computers actually correspond to what domain names.

Simply put, it’s the internet fabric that turns human-friendly server names such as facebook.com into computer-friendly network numbers such as 157.240.1.35 or 2a03:2880:f11b:83:face:b00c::25de.

Sometimes you want to access network resources directly on your own computer, using network-oriented software, even though you could just access everything directly if necessary.

For example, you might want to manage the files on your own computer by connecting locally with an FTP client, simply because you prefer the user interface, or you might want to manage the local firewall settings from your browser instead of typing cryptic commands into a console window.

When you use network protocols to access local data and services, you don’t want to risk exposing any of that network traffic to the outside world by mistake.

That’s because some network servers and services give special privileges to local traffic, so the sort of data you send locally is often much more interesting to crooks, and more dangerous to your privacy, than the traffic you’d usually allow onto your work LAN or out over the internet.

Mistakes happen

But mistakes can easily happen if you use regular internet names or numbers to access your local computer.

For example, if you are at home, you might accidentally type in your work IP number out of habit, so that traffic intended for local consumption might leak out onto the internet, trying to find its way to a remote location where your computer isn’t.

That’s why there are special IP numbers reserved to mean “this always refers to your local computer, wherever you are at the moment, so this traffic must never leave this device”.

For example, the network addresses 127.0.0.1 (on old-style IPv4 networks with 32-bit addresses) and 0.0.0...0.0.1, abbreviated to ::1 (on new-style IPv6 networks with 128-bit addresses), always and only refer to “this computer, right here, right now”.

For human-friendly simplicity, the internet name localhost means exactly the same thing, and you’re supposed to be safe using that name, too.

Unfortunately – and this is the main issue covered in Mike West’s “Let ‘localhost’ be localhost” proposal – the relevant internet standard only actually says that localhost should refer to your current computer, and doesn’t insist that it must.

(The internet standards documents make heavy use of MAY, SHOULD and MUST, and only when something gets a MUST do you have to do it. Otherwise, you’re officially allowed to cut corners, as it were.)

In other words, sloppily-written client software or sloppily-written server software could – accidentally or by design – subvert the understood meaning of localhost, and direct you to some unknown computer out there on the internet.

This could compromise security by allowing local-only data to leak out and be stolen…

…and yet the sloppy software that made the breach possible could nevertheless claim to be compliant with the relevant standards.

That’s a bit like insisting that your users set a password on their mobile phones, but allowing it to be blank.

Let SHOULD be MUST

Mike West wants the standards gurus to change the wording, so that we do indeed have an unequivocal name that refers to “this computer, right here, right now” – he wants to swap out several SHOULDS and replace them with MUSTS.

Very simply, he wants localhost to be your local host, officially, by design and unequivocally.

This won’t automatically make the internet more secure – non-compliant or malicious networking software could still break the rules – but it will make things more tidy, by removing any argument about what localhost is supposed to mean.

This, in turn, means it’s easier to detect non-compliant or malicious software, because there is a simple definition by which risky implementations can be detected, condemned and avoided.

What to do?

The devil really is in the details in matters like this.

The existing internet standard for localhost already permits applications to recognise it as a special name, and to force it to refer to the local host, without relying on any other software further down in the system to make that choice for you.

In other words, you can already and easily make your software compliant with both the letter and the spirit of both the current standard and the proposed new one…

…so why not do just that?


from Naked Security – Sophos http://bit.ly/2vSLxO4
via IFTTT

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s