A new connection to a YARP port is established via handshaking on a TCP port, (see yarp::os::impl::TcpFace).
So everyone who can access this TCP port can connect to your YARP port (as long as he understands the protocol).
So if you are not behind a firewall, you are exposing your YARP infrastructure to the world. This is frustrating at a minimum if someone is messing with your nameserver. And if your application is vulnerable to corrupted data, it is a security leak. In particular, all iCub users running the yarprun server for the application manager should be aware of this issue (see iCub wiki).
To protect your ports, you can enable the port authentication which adds a key exchange to the initial handshaking in order to authenticate any connection request. It uses a 3-way HMAC mechanism with SHA256.
Create a file 'auth.conf' in a directory that "yarp resource --find auth.conf" would find, with the following content:
You can 'test' it by opening a telnet connection to your nameserver. Instead of a welcome message you should see only garbage.
Now, only yarp applications with the same key can connect to each other. This also applies to the nameserver (as it is just a regular port).
I consider this mechanism to be secure for handshaking, but it comes without any warranty. Every user should still feel responsible for the security of their system.