From owner-freebsd-security Mon Dec 18 10:58:19 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 10:58:17 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.seifried.org (edtn013433.hs.telusplanet.net [161.184.218.225]) by hub.freebsd.org (Postfix) with ESMTP id 88D8F37B402 for ; Mon, 18 Dec 2000 10:58:13 -0800 (PST) Received: from seifried (unknown [10.3.0.202]) by mail.seifried.org (Postfix) with SMTP id 90E042FC57; Mon, 18 Dec 2000 11:58:27 -0700 (MST) Message-ID: <005a01c06924$77186340$ca00030a@seifried.org> Reply-To: "Kurt Seifried" From: "Kurt Seifried" To: "Alfred Perlstein" , "Moses Backman III" Cc: "Todd Backman" , References: <20001218133716.A550@cg22413-a.adubn1.nj.home.com> <20001218104954.B19572@fw.wintelcom.net> Subject: Re: woah Date: Mon, 18 Dec 2000 11:58:09 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Stupid question but why did you send this to me and a mailing list, etc? > Kurt, I was pretty disappointed to see this article. If you tear > it down the to base content, the only problem with SSL/SSH is stupid > users. And the fact that SSL/SSH rely on said stupid users. Usually the weakest link... > I understand that dsniff is a powerful tool for intercepting network > traffic, however it will not be "the end" of SSL and SSH technologies. Well telnet isn't dead either (yet..), but I doubt any security concious person would advocate using it anymore. SSH/SSL are somewhat better then nothing, but far from perfect. > If I get "server has changed keys" messages and I'm not certain > that it was myself that upgraded ssh or did a clean install, there's > no way I'm going to authorize the key exchange. I asked some users, most said they have clicked ok. Also what about connecting to a new server? How do you verify the key, phone the server admin and ask for the fingerprint? > This is like blaming bullet proof vests for the moron that decided to > wear his like a turban. :) What is it with stupid gun related examples. It's more like me saying "The end of bullet proof vests - Someone just realeased a product called "sure headshot (TM)" that gives you pretty much guarenteed head shot, meaning your BPV might be useful for ID'ing the corpse". > Is there something I'm missing here? Telnet was just a fine protocol, well until people started releasing sniffers that were dead easy to use. And then things like the HUNT project that let you easily hijack/kill TCP connections (like telnet =). For some reason we don't send cleartext as much anymore, why is that? Perhaps SSH/SSL are not the be all end all perfect solution, imagine that. The main point of the article was to educate users. Like those people that know less then "us", who as a rule tend to believe blindly that SSH and SSL makes things "secure". > -Alfred Kurt Seifried, seifried@securityportal.com SecurityPortal - your focal point for security on the 'net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message