Security Risk With UPnP & MiniSSDPd. Suggested Resolution.
Challenge
About this comment at jami-client-qt#1046 (comment 42019)
It seems that Jami might somehow use the very weak security UPnP and or MiniSSDPd. Does Jami require UPnP or MiniSSDPd? Or are those just optional?
Suggested Resolution
If somehow Jami depends on the very weak security UPnP and or MiniSSDPd, to resolve this security risk, I suggest for Jami to keep UPnP and or MiniSSDPd as optional. Not as requirements. So that people who need stronger security first and convenience second, are still able to use Jami. While at the same time, people who need speed first, and security second, are still able to use both UPnP and or MiniSSDPd.
In other words, for security prevention and for stronger security, I suggest NEVER install, NEVER activate, and NEVER use UPnP.
If you activate and use UpnP, the automatic discovery of new devices would still work. But it would be slower. If you disable or remove UPnP, your operating system, such as, but not limited to, Debian, Linux Mint, Ubuntu, would have STRONGER security. So it depends on your current needs.
Below is the same answer as above. But with details if this is of interest.
UPnP
Speaking for myself. I do NOT trust UPnP. Because it has a very long history of WEAK security. Catastrophically low security history actually. Find the examples and sources below. I disabled my UPnP. Because for me safety is more important than speed.
For those who are not familiar with UPnP, in summary what it does is it allows networking devices, such as personal computers, printers, Internet gateways, Wi-Fi hotspots and mobile devices to seamlessly discover each other’s presence on the network and establish functional network services for data sharing, communications and entertainment. The challenge with UPnP is that, for example, routers, printers and other devices can be remotely controlled by a new attack that exploits a security vulnerability in the Universal Plug and Play network protocol. And UPnP has a very long history of weak security.
Examples of security vulnerabilities with UPnP:
____• https://archive.md/28Y6i
• October 2019 https://www.howtogeek.com/122487/htg-explains-is-upnp-a-security-risk/
____• https://archive.md/3Bnh0
• May 2019 https://www.debian.org/lts/security/20
MiniSSDPd
For those not familiar with MiniSSDPd. In summary, MiniSSDPd is optional. Either deactivating it or fully removing it, would not break anything on your device.
The device discoveries will still work fine. But they might be slower though. If you deactivate or remove MiniSSDPd, your operating system, such as, but not limited to, Debian, Linux Mint, Ubuntu, etc, would have stronger security. So it depends on your needs.
The router weak security UPnP optional feature depends on the external device MiniSSDPd deamon. By "device" I mean that this MiniSSDPd software is located into each device (computer, mobile, tablet, etc).
About MiniSSDPd package for Debian 10 Buster at https://manpages.debian.org/buster/minissdpd/minissdpd.1.en.html
Below is the same answer as above. But with details if you're interested in those.
Speaking for myself only. I do NOT trust MiniSSDPd. Because it has a very weak security history. Catastrophically weak security history in fact. Find the examples & sources below. I deactivated my MiniSSDPd. Because to me security is more important than speed.
The good news is that starting with Debian 10 Buster. MiniSSDPd is deactivated by default.
For those not familiar with MiniSSDPd, in summary what it does is that it speeds up device discoveries. For example, if you plug a new device on your Debian, it will be detected faster. The challenge with MiniSSDPd is that, for example, routers, printers, and other devices can be remotely commandeered by a new attack that exploits a security flaw in the Universal Plug and Play network protocol. And MiniSSDPd has a very long history of weak security.
MiniSSDPd depends on the router weak security feature called UPnP
Examples of security flaws with MiniSSDPd and UPnP:
• October 2019 https://www.howtogeek.com/122487/htg-explains-is-upnp-a-security-risk/
• May 2019 https://www.debian.org/lts/security/2019/dla-1805.en.html
• May 2016 https://www.debian.org/lts/security/2016/dla-454.en.html
• January 2013 https://www.hdm.io/writing/SecurityFlawsUPnP.pdf
___• https://web.archive.org/web/20200927005146/https://www.hdm.io/writing/SecurityFlawsUPnP.pdf