Yes, iPhone 13
Arc is choosing 1.2 during the TLS handshake (found/confirmed via packet capture on my edge firewall)
What would the implications of running in a docker be (unraid)
Cheers
Not really my point.
I am not thinking of traditional supply chain attack with direct injection of malicious code in a sub component. These while they exist are exceptionally rare and we should not fret about them.
The bigger concern is a sub library have an unintentional vulnerability that could be exploited like the Log4Shell exploit of the Log4j library.
There are tools that can help in catching these vulnerabilities like BlackDuck or even GitHub to a lesser level but are they part of the process? I have no idea.
Bottom line, an open port to a device that is either sensitive or on a sensitive network is simply a bad idea. Thus before I enable this great feature (and it is great!) I will have to move my Roon core to a sacrificial server on an unimportant and separate part of my network.
2 Likes
Agreed. Iāve refrained from saying thisā¦ 
But, if a script kiddie wants to hack you, theyāll find a way.
Iād be more worried about browses, websites, and other such software on the computerā¦
1 Like
I heartily commend this post to the fora. 
Both your and Fernandoās responses demonstrate a rather naive understanding of the cyber threat landscape. Enough said.
3 Likes
Not at all. My system is pretty locked down. But, Iāve been there and around with SQL injections into software, backdoor trojans in the past. We can only do so much. As shown by the whole QNAP disaster recently. Someone will always find a way in, and sniff around to see what can be accessed.
Yes, by users exposing their networks by publishing services and having UPnP enabled and making it exceptionally easy to attack.
Hackers go for low hanging fruit.
Itās exactly the sort of hubris shown here that was exploited by the gangs operating Qlocker and Deadbolt. And they will continue to pick on those who firmly believe either āit wonāt happen to meā, or, āitās going to happen and there is nothing I can do about itā. Both mindsets are what they are looking to exploit.
1 Like
Why? What are your concerns with 1.2?
I shouldnāt be telling Roon what the security implications are of using TLS 1.2
TLS 1.0 to 1.2 has multiple vulnerabilities and itās bizarre that a new app would be deployed using 1.2 as the preference.
Best practice is to use 1.3 as it is faster, a simpler handshake process and more secure
(and only support 1.2 for backwards compatibility)
2 Likes
You arent.
they just asked me 
No they didnt.
By the way there are plenty of vulns in TLS 1.3 as well.
Ah well that negates any reason to go with the best option available then.
If thereās vulns in 1.3 why not just switch off security completely
1 Like
Yes the logical conclusion of these kind of security discussions is that we should all just not have any computers and never use the internet. Thats secure 
4 Likes
So, do I understand correctly that running ROCK on a separate NUC only exposes this NUC to potential security risks from opening a port for ARC, however small these risks may be? Or could Rock potentially be infected in a way that other devices/shares on the network also become accessible for outside attacks?
Should Roon maybe recommend a separate roon server device for people using Arc, given such security issues?
I think ROCK on a separate device (NUC) is probably the best option from a security perspective. Unless you intend to go to the lengths that some here recommend of DMZs, sacrificial servers and isolated VLANs. Which IMO are not really necessary.
Theoretically something malicous could jump from your NUC running ROCK to another device but the chances of this seems very small.
1 Like
Can someone please advise what manual port forward config is.
(p.s. Iām an Economist who likes music.)
1 Like
Yep that is itā¦ for your information as well, after changing it to 0, each time I have restarted the core since installing 2.0 the 0 is replaced by the port no. that originally appeared thereā¦ so just in case, I go to settings each time and put it back to 0.