Date: Mon, 18 Dec 2000 11:58:09 -0700 From: "Kurt Seifried" <seifried@securityportal.com> To: "Alfred Perlstein" <bright@wintelcom.net>, "Moses Backman III" <penguinjedi@home.com> Cc: "Todd Backman" <todd@flyingcroc.net>, <freebsd-security@FreeBSD.ORG> Subject: Re: woah Message-ID: <005a01c06924$77186340$ca00030a@seifried.org> References: <Pine.BSF.4.21.0012172347240.48779-100000@security1.noc.flyingcroc.net> <20001218133716.A550@cg22413-a.adubn1.nj.home.com> <20001218104954.B19572@fw.wintelcom.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Stupid question but why did you send this to me and a mailing list, etc? > Kurt, I was pretty disappointed to see this article. If you tear > it down the to base content, the only problem with SSL/SSH is stupid > users. And the fact that SSL/SSH rely on said stupid users. Usually the weakest link... > I understand that dsniff is a powerful tool for intercepting network > traffic, however it will not be "the end" of SSL and SSH technologies. Well telnet isn't dead either (yet..), but I doubt any security concious person would advocate using it anymore. SSH/SSL are somewhat better then nothing, but far from perfect. > If I get "server has changed keys" messages and I'm not certain > that it was myself that upgraded ssh or did a clean install, there's > no way I'm going to authorize the key exchange. I asked some users, most said they have clicked ok. Also what about connecting to a new server? How do you verify the key, phone the server admin and ask for the fingerprint? > This is like blaming bullet proof vests for the moron that decided to > wear his like a turban. :) What is it with stupid gun related examples. It's more like me saying "The end of bullet proof vests - Someone just realeased a product called "sure headshot (TM)" that gives you pretty much guarenteed head shot, meaning your BPV might be useful for ID'ing the corpse". > Is there something I'm missing here? Telnet was just a fine protocol, well until people started releasing sniffers that were dead easy to use. And then things like the HUNT project that let you easily hijack/kill TCP connections (like telnet =). For some reason we don't send cleartext as much anymore, why is that? Perhaps SSH/SSL are not the be all end all perfect solution, imagine that. The main point of the article was to educate users. Like those people that know less then "us", who as a rule tend to believe blindly that SSH and SSL makes things "secure". > -Alfred Kurt Seifried, seifried@securityportal.com SecurityPortal - your focal point for security on the 'net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?005a01c06924$77186340$ca00030a>