[Printing-architecture] IPP-over-USB and Printer Applications: DNS-SD-advertise localhost:PORT a security problem?

Till Kamppeter till.kamppeter at gmail.com
Wed Nov 21 22:26:39 UTC 2018


I talked with Sean Kau and David Valleau from Chrome OS (CCed) about the 
implementation of IPP-over-USB with ippusbxd in Chrome OS. Sean told

Using DNS-SD on localhost doesn't fit our security model as we don't 
want to allow arbitrary processes to talk to each other.

This would mean that we cannot implement IPP-over-USB and Printer 
Applications as innitially thought out. They are supposed to make the 
printer available as


with PORT varying so that there can be several devices connected to the 
same machine (and CUPS running in addition). For CUPS (or the printing 
system in general) automatically discovering the devices and creating 
print queues the Printer Applications (and ippusbxd) are supposed to 
advertise themselves via DNS-SD.

This would mean (local-only) advertising of localhost via DNS-SD, which 
Sean considers a security problem. Is this actually a security problem? 
If so, how should Printer Applications (and ippusbxd) actually work?


More information about the Printing-architecture mailing list