Educause Security Discussion mailing list archives
Re: Help explaining why LogMeIn.com type programs are bad.
From: Alan Amesbury <amesbury () OITSEC UMN EDU>
Date: Mon, 17 Jul 2006 17:09:21 -0500
Flagg, Martin D. wrote:
I have received a request to allow global use of LogMeIn.com. I know this has been discussed before but what are the top 5 reasons no to allow this access? Also, how are people blocking this type of access? (I am blocking the FQDN)
The rationale for prohibiting this sort of access usually centers around the little things, e.g., FERPA, HIPAA, and friends. Page 5 of https://secure.logmein.com/wp_lmi_security.pdf makes some interesting claims, notably: The client browser establishes a connection to www.logmein.com and authenticates itself. The gateway then forwards the subsequent encrypted traffic between the client and the host. It is worth noting that the client will still need to authenticate itself to the host--the gateway mediates the traffic between the two entities but it does not require that the host implicitly trust the client. To me this makes it sound like the gateway has full access to the traffic it's proxying. It *certainly* does some sort of arbitration for connectivity. My guess is that if your institution's auditors and lawyers are willing to sign off on companies like logmein.com as possible custodians of your data (or arbiters of authentication), it's probably a safe policy decision to use it for protected data. The fact that their paper mentions "overrun by armed bandits" as a threat against their code-signing key sort of makes me wonder how serious they are, though. Sure, armed gunmen are a threat, but I would expect a rogue/disgruntled/careless employee and inadequate safeguards to be a far more credible/likely threat, and am disappointed that this isn't mentioned. They also describe NetBSD as "the Unix variant which is usually regarded as the most secure operating system." (I wonder if anyone's told Theo.) These obvious oversights and errors indicate to me that perhaps they're not quite as serious as one might hope. As far as I know, UofMN isn't actively blocking this sort of stuff. -- Alan Amesbury (not speaking on behalf of the) University of Minnesota
Current thread:
- Help explaining why LogMeIn.com type programs are bad. Flagg, Martin D. (Jul 17)
- <Possible follow-ups>
- Re: Help explaining why LogMeIn.com type programs are bad. Alan Amesbury (Jul 17)