From owner-freebsd-security Mon Dec 18 11:26:44 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 11:26:40 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 3F09037B400 for ; Mon, 18 Dec 2000 11:26:40 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id eBIJOYi09142; Mon, 18 Dec 2000 11:24:34 -0800 (PST) Date: Mon, 18 Dec 2000 11:24:34 -0800 From: Alfred Perlstein To: Kurt Seifried Cc: Moses Backman III , Todd Backman , freebsd-security@FreeBSD.ORG Subject: Re: woah Message-ID: <20001218112434.C19572@fw.wintelcom.net> References: <20001218133716.A550@cg22413-a.adubn1.nj.home.com> <20001218104954.B19572@fw.wintelcom.net> <005a01c06924$77186340$ca00030a@seifried.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <005a01c06924$77186340$ca00030a@seifried.org>; from seifried@securityportal.com on Mon, Dec 18, 2000 at 11:58:09AM -0700 Sender: bright@fw.wintelcom.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Kurt Seifried [001218 10:58] wrote: > Stupid question but why did you send this to me and a mailing list, etc? > > > Kurt, I was pretty disappointed to see this article. If you tear > > it down the to base content, the only problem with SSL/SSH is stupid > > users. > > And the fact that SSL/SSH rely on said stupid users. Usually the weakest link... I wouldn't say they rely on stupid users, just that there's so many out there (stupid users) that the odds are that a lot of them are using SSL/SSH. > > I understand that dsniff is a powerful tool for intercepting network > > traffic, however it will not be "the end" of SSL and SSH technologies. > > Well telnet isn't dead either (yet..), but I doubt any security > concious person would advocate using it anymore. SSH/SSL are > somewhat better then nothing, but far from perfect. > > > If I get "server has changed keys" messages and I'm not certain > > that it was myself that upgraded ssh or did a clean install, there's > > no way I'm going to authorize the key exchange. > > I asked some users, most said they have clicked ok. Also what > about connecting to a new server? How do you verify the key, phone > the server admin and ask for the fingerprint? In a perfect world, you have your admin send you a pgp signed message with the server public key in it. When you initially authenticate, you sure as hell make sure it matches. Not that difficult. > > This is like blaming bullet proof vests for the moron that decided to > > wear his like a turban. :) > > What is it with stupid gun related examples. It's more like me > saying "The end of bullet proof vests - Someone just realeased a > product called "sure headshot (TM)" that gives you pretty much > guarenteed head shot, meaning your BPV might be useful for ID'ing > the corpse". I don't think so, dsniff only allows the interception when the user allows it to happen either by ignorance or carelessness. Sort of like wearing a bullet proof vest as a turban. dsniff can _not_ intercept SSL/SHH when proper security measures are taken. > > Is there something I'm missing here? > > Telnet was just a fine protocol, well until people started > releasing sniffers that were dead easy to use. And then things like > the HUNT project that let you easily hijack/kill TCP connections > (like telnet =). For some reason we don't send cleartext as much > anymore, why is that? Perhaps SSH/SSL are not the be all end all > perfect solution, imagine that. > > The main point of the article was to educate users. Like those > people that know less then "us", who as a rule tend to believe > blindly that SSH and SSL makes things "secure". If that's true then why not explain in a calm manner how there are major problems if these tools aren't used carefully, instead of sensationalizing with a headline "The End of SSL and SSH?" ? You know how much I love sensationalists, Kurt. I've come down hard on false reports of vulnerabilities and sensationalistic journalists. As an upcoming journalist you owe it to the community to be more objective, educational and levelheaded with your stories. bye, -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message