summaryrefslogtreecommitdiffstats
path: root/research/security.page
blob: 14b752408f7d02b014a6ef1b29010c0ef8fa5b73 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

## Questions

External attackers likely could/would port scan and be able to identify the
device; is that a problem?

## Pitfalls, Lessons Learned

XSS attack to back out geo location of router: <http://samy.pl/mapxss/>

## Links, Unsorted

Advice on HTTPS: http://www.imperialviolet.org/2012/07/19/hope9talk.html

[Tripphrases](http://worrydream.com/tripphrase/)

plan9 security: [Factotum](http://doc.cat-v.org/plan_9/4th_edition/papers/auth)

Users should probably have a single "root" GPG key for every distinct
identity/persona that they present to the external world, and then generate
subkeys for use with each host/device and external service. This allows more
fine grained control over revokation and access control (eg, if a device is
lost then suspend/revoke that key). An API or tools to help distribute
certificates, signing information, and revokations would be helpful.