> The first part of that may be true, but the second part is definitely false. It is very hard to write your own secure anything-connected-to-a-network.
From years of using, writing, and reading about network software. I'm not sure if you're being obstinate or naive, or if you actually have some silver bullet for writing secure network software, but if it's the latter, I'm sure lots of people would love to pick your brain!
All the same things that are difficult to get right in any other chunk of code that handles arbitrary input from across the internet. I have a couple tomes on this subject: "The Art of Software Security Assessment" is 1200 pages long, "The Web Application Hacker's Handbook" is another 900 pages. Nobody has solved all the issues discussed in those (and many other) books in such a way that makes this no longer "hard".
Note that I'm not at all claiming this stuff is impossible or a total lost cause, just that I think it easily passes the bar for "hard", and is certainly tricky enough to get right that I personally don't think it's worth the effort to run network-connected services unless they're for a business that I'm hoping will pay for my time and effort somehow.
> All the same things that are difficult to get right in any other chunk of code that handles arbitrary input from across the internet.
That's about as unspecific as you can be, isn't it? So, let me give the equally uninformative answer: All of those are either easy to prevent, or they lead to a DoS, which isn't a big concern for a personal email server.
> "The Art of Software Security Assessment" is 1200 pages long
Haven't read it, but by its TOC, it's mostly irrelevant to the given problem (except maybe that it teaches you to not write you personal mail server in C, who would have thought ...).
> "The Web Application Hacker's Handbook" is another 900 pages.
Didn't I say something about avoiding complexity? No, you should not build your mail server as a web application, in case that wasn't clear.
> Nobody has solved all the issues discussed in those (and many other) books in such a way that makes this no longer "hard".
Well, how about you give an example of one problem that you think is still hard enough to be a major obstacle to implementing you own secure personal mail server?
> [...] that I personally don't think it's worth the effort to run network-connected services unless they're for a business that I'm hoping will pay for my time and effort somehow.
How is it that you suddenly switched to "services"? I thought we were talking about "network software"? Am I supposed to believe that you are not running a web browser unless it's for a business that you're hoping will pay for your time and effort somehow? How about web applications? Or what is your justification for a distinction between "services" and "network software", as far as possible security impact is concerned?
As for your final paragraph about word choice: I'm not sure what you mean, I'm just talking about any software that is running somewhere and accessible across a network.
As for the rest of it... there was a time when I would have bothered trying to delineate some specifics for you, thinking I was providing some educational service or something, or that maybe I'd learn something from you in the discussion, but I'm getting the sense that if I did that, you would just be dismissive of all those things as "not a big concern", "because of complexity", "because of C", etc., and I would be wasting my time.
There are plenty of places you can go read about this stuff if you want to, but I don't think you do, I think you're just looking for an argument. Good luck to you!
> As for your final paragraph about word choice: I'm not sure what you mean, I'm just talking about any software that is running somewhere and accessible across a network.
Well, a web browser is accessible across a network. An email client is accessible across a network. What fundamentally distinguishes a mail server from either of those that justifies rejecting to run one of those yourself outright, while presumably being fine with the others?
You seem to have some implicit assumption that a piece of software that opens a listening TCP socket is somehow much more vulnerable than one that doesn't. I don't think that that is justified, and if anything, gives you a false sense of security.
> but I'm getting the sense that if I did that, you would just be dismissive of all those things as "not a big concern", "because of complexity", "because of C", etc., and I would be wasting my time.
I am not dismissing anything, I am just pointing out why those aren't problems. If you disagree, feel free to disagree. And maybe make an actual more specific argument than "there are a lot of things one can do wrong".
I mean, how is it relevant that there are tons of ways to screw up buffer handling in C when the obvious solution is to just not write your own personal mail server in C? Yes, it is hard to write secure software in C. Very hard. Yes, there are cases where there are good reasons to write network software in C despite that. Is your own personal mail server one of them? No.
Or how is it relevant that the web is a hugely complex mess of inherently insecure APIs when the task at hand is writing an email server? Just don't write your email server as a web application and you don't have to deal with any of the myriads of security problems that plague the web.
> There are plenty of places you can go read about this stuff if you want to, but I don't think you do, I think you're just looking for an argument. Good luck to you!
Thanks, but I think I have found enough vulnerabilities to not need any introductory books to understand how people constantly screw up security in their code.
Lookit, this thread started because you said "nor is it that hard to even write your own secure mail server, alone", which I disagreed with, saying that it is in fact "very hard". You seem to have a definition of the word "hard" that is just much closer to "infeasible" than my own, which is nearby "takes a good deal of expertise and / or effort". It really isn't very interesting which of us is more "right" about what is and isn't "hard".
I honestly hope you're right that someday I'll work on a project and find myself thinking "wow, it wasn't even that hard to get the security story right on this", and I guess that day has already come for you, but it certainly hasn't for me.
> You seem to have a definition of the word "hard" that is just much closer to "infeasible" than my own, which is nearby "takes a good deal of expertise and / or effort".
Well, maybe. But I don't really think it takes all that much expertise. Maybe it does, in the sense that there are so many tools out there that you in principle could use to try and build an email server, and without any expertise, it might be hard to tell which tools to use, and, more importantly, which ones to avoid.
So, without expertise, you might end up stuck in the local minimum that is C, say, which in turn then requires a lot of expertise and effort to build something secure, because there are just to many pitfalls to be constantly aware of if you want to pull it off. But if you manage to avoid that local minimum and use a memory-safe language with garbage collection, suddenly, avoiding buffer overflow exploits is trivial. You don't even need to understand what a buffer overflow is and why/how it can be exploited. They simply don't happen, without any detailed expertise needed.
The thing is that you very well might end up writing your email server in a memory-safe language by accident. Writing a secure email server in C by accident, though? Extremely unlikely.
Also, many possible security problems that plague software simply don't apply to email servers. The web is a mess and difficult to build something secure for. But email servers don't have to deal with the web, so you cannot even accidentally stumble into those problems when you are writing an email server.
> But I don't really think it takes all that much expertise.
I think you may be living in a bubble. Building any working software takes a lot of expertise. Maybe you just mean "expertise in addition to that necessary to build any working software". In which case, maybe I don't disagree with you so much. But again, we're just debating the definitions of words like "hard" and "expertise"!
There are more security issues to be concerned about than buffer overflow. Just as an example, your email server needs authentication and authorization, which are also tricky to get right. There are plenty of logic-level security issues like that for which just choosing a memory-safe language is not a solution.
No, it's not. Where did you get that idea?