Reply to post: WTF

Spooks, plod and security industry join to chase bank hacker

Voland's right hand Silver badge


SSDP is supposed to be used only over multicast.

Listening on a unicast address and replying to a unicast datagram for it is a BUG. Similarly, you should never listen to SSDP from outside your local network as it is a massive security risk - this is effectively opening your UPnP to the world.

The idiot vendors who do (and ship such buggy implementations) should be named, shamed and removed from sale (that is the only way to deal with it - we should start removing CE and FCC kitemarks from SOHO crapware running non-standards compliant software). After all, if something does not comply to f.e. wireless standards it can be removed from sale. I do not see why this should not apply to network standards as well. In fact, it can be removed under a whole raft of consumer legilslation (the stuff usually enforced by trading standards) too. All of that if anyone was _REALLY_ bothered by this. As long as it is not being removed, I find it difficult to believe that this is the case.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon


Biting the hand that feeds IT © 1998–2020