Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I don't even know what to think of this.

Are you arguing that it is a good thing for people who have no idea what they're doing to have a 1 button click to remove all security?



I think you missed the sarcasm and irony that was fairly evident in his comment. However, perhaps we can expect a user who can gem install something to have an acceptable level of awareness of the security implications of such a tool?


> However, perhaps we can expect a user who can gem install something to have an acceptable level of awareness of the security implications of such a tool?

No, we can not. From both personal experience (developers can be dumb as bricks and know nothing outside their specific knowledge domain) and good security practices (you don't trust the user, even if they say they're good for it).

And yes I hope it was just sarcasm I missed, but that's why I had to ask.


it was indeed complete sarcasm.


Can you elaborate on why you equate this localtunnel to "removing all security" ?

I haven't tried it, but it seems to forward a single port that's running service X that I want to make available on the net.

Any way whatsoever of fulfilling that need (no matter if it's one button click or setting up a separate VM for that service) would involve making a hole in all relevant firewalls and making the (possibly buggy) service X available to everyone.

Is the user goal of "making service X available to everyone" bad in itself?


The issue is, what else is on that machine?

When you allow public connections to a service running on a machine, security for that entire machine now largely depends on that service. Are you 100% sure that your copy of Apache or Nginx is patched up to date? That the web app you just coded up won't allow arbitrary command execution? That the OS has no local privilege escalation vulnerabilities?

If you are using a web host or VPS, the risk is limited to the code you're testing. You could lose the whole machine and it's no big deal.

But if you've exposed your personal machine--with all your documents, files, settings, etc.--then you've got a lot more to lose if a bad guy gets in. Worst case is a rootkit install that collects all your passwords and sends them out.


Running Localtunnel with directory listing enabled and root set to / (inadvertently or not) could not be a good idea.


The primary use case is for web applications which will eventually run on public servers. So yes, it is a good thing for people to be able to easily simulate having their software run on a public server. It's also necessary if you're writing something that receives events from other APIs like Twilio.


if outgoing connections are blocked, you are probably ok




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: