bruce wrote:
there is no security issue, other than the fact that you need to specify/open ports, and you need to 'trust' your client app.
That 'client' app designation is now blurred though. By opening up ports it is making your desktop system a server in the sense that anonymous users can connect to your system and send arbitrary data to the BitTorrent 'client' running on your system. So now you have to trust that the 'client' app handles anonymous incoming connections and the data that is sent to it in a secure way. For users of the official python BitTorrent not only do you have to trust that BitTorrent is coded correctly but you also have to trust that Python does not have any security issues that might be triggered by a properly coded python program. I don't know of any security issues with the source to Python or BitTorrent but I doubt anyone could say it does not have any exploitable security issues as a fact.
IMHO opening ports so that anonymous users can connect and send data to a program running on the user's desktop should throw up red flags for many security cautious users.
Imagine what would happen if some PTP app had a security flaw that was exploitable by sending data to the opened port. Evil hackers could have a field day. I don't think end users think about this though so they go by the PTP programs directions to open ports thinking that it is just normal to do so.
With that said though I still use BitTorrent at home but I isolate it from my LAN. I place the BitTorrent client on a system that is on a physically different firewall interface than my LAN which has no access to the internal LAN.
