Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Are TCP connections on localhost secure?

Tags:

security

authentication

tcp

sockets

localhost

Domain

I am designing a piece of software ATM and I would like to hide necessary cryptographic operations behind a "crypto daemon", which accesses encrypted keys on disk and offers a high level, application specific interface to these operations.

The other programs have to:

  • Authenticate to the daemon (valid authentication allows the daemon to decrypt the keys on disk)
  • Issue commands to the daemon and receive answers

I have the idea of using TCP via localhost for these operations. After doing the TCP handshake, the program has to authenticate to the daemon and - if successful - crypto commands can be issued to the daemon.

Actual Question

At least two assumptions have to hold, otherwise this is insecure by design:

  1. TCP channels on localhost cannot be hijacked/modified (except by the admin/root)
  2. TCP channels on localhost are private (cannot be peeked at) (except by admin/root)

Are these assumptions true? Why? Why not? Is anything else flawed?

like image 876
dubadu Avatar asked Dec 16 '22 08:12

dubadu

1 Answers

Loopback connections are in general not subject to man-in-the-middle attacks (from other non-root processes on the same box, or from outside the box).

If you intend to use loopback as a poor-man's-transport-security (instead of TLS) you will have to ensure that both ends of the connection are suitably protected:

  • On the client end, what is the consequence of an unauthorised low-privilege process being allowed to connect to the server? If client access is protected by a plaintext password, you might consider a brute-force attack against that password, and address that with password complexity and auditing of failures.

  • On the server end, is it conceivable for a low-privilege process to cause the server to terminate (eg crash it with malformed input or resource exhaustion), and replace it with a trojaned listener that would steal the password from a client or return misleading results? You might consider using Unix's low port number protection to stop this (but then you have to worry about running as root/setuid/fork).

It depends on your threat model how much of a concern you have with protecting against local access; you may take the position that your infra sec and monitoring is sufficient to discount the scenario of an attacker getting a low-privilege account. But in the general case, you may be better off biting the bullet and going with the well-known solution of TLS.

like image 190
bobince Avatar answered Dec 22 '22 00:12

bobince
Sign in to Comment

Related questions

avoid session hijacking for Web Applications
Is it a bad idea to automatically log users in from an email?
What steps can be taken to ensure the security of a PHP application?
what is the vulnerability of having Jsessionid on first request only
Create a security identifier for the current domain
php sessions security query
What are all the security measures I should check over before deploying my Rails application?
How can I scrape data from the Israeli Bureau of Statistics web query tool?
Avoiding SQL Injection
AJAX security questions
certmgr.exe command utility location
Is there a way to block a class from being reflected upon?
Is encrypting twice good or bad? [closed]
Copying a file to a network share which I don't have access to
How to password protect pdf in PHP [duplicate]
Do I need to password protect my web app if it's at an obscure URL?
information on Data Protection API (DPAPI)
UDP vs TCP security
Hardening wordpress on IIS7+ web.config equivalent of .htaccess
Symfony 2 functional test: authenticate user of own User class

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!