spec, dbus-daemon(1): Say that non-local TCP is insecure

With some fairly reasonable threat models (active or passive local
attacker able to eavesdrop on the network link, confidential
information being transferred via D-Bus), secure authentication is
insufficient to make this transport secure: it does not protect
confidentiality or integrity either.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=106004
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
Reviewed-by: Philip Withnall <withnall@endlessm.com>

1 files changed, 7 insertions, 2 deletions

diff --git a/doc/dbus-specification.xml b/doc/dbus-specification.xml
index b79d9ae3..b60868f5 100644
--- a/doc/dbus-specification.xml
+++ b/doc/dbus-specification.xml
@@ -3717,8 +3717,13 @@
         located on the same or different hosts.
       </para>
       <para>
-        Using tcp transport without any additional secure authentification mechanismus
-        over a network is unsecure.
+        Similar to remote X11, the TCP transport has no integrity or
+        confidentiality protection, so it should normally only be
+        used across the local loopback interface, for example using an
+        address like <literal>tcp:host=127.0.0.1</literal> or
+        <literal>tcp:host=localhost</literal>. In particular,
+        configuring the well-known system bus or the well-known session
+        bus to listen on a non-loopback TCP address is insecure.
       </para>
       <para>
         On Windows and most Unix platforms, the TCP stack is unable to transfer