Date: Mon, 18 Dec 2000 12:33:31 -0700 From: "Kurt Seifried" <seifried@securityportal.com> To: "Alfred Perlstein" <bright@wintelcom.net> Cc: "Moses Backman III" <penguinjedi@home.com>, "Todd Backman" <todd@flyingcroc.net>, <freebsd-security@FreeBSD.ORG> Subject: Re: woah Message-ID: <007401c06929$68298120$ca00030a@seifried.org> References: <Pine.BSF.4.21.0012172347240.48779-100000@security1.noc.flyingcroc.net> <20001218133716.A550@cg22413-a.adubn1.nj.home.com> <20001218104954.B19572@fw.wintelcom.net> <005a01c06924$77186340$ca00030a@seifried.org> <20001218112434.C19572@fw.wintelcom.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> In a perfect world, you have your admin send you a pgp signed > message with the server public key in it. When you initially > authenticate, you sure as hell make sure it matches. > > Not that difficult. So you're volunteering to install PGP/GnuPG on 30,000 machines at the local university, and educate users how to use it? I'm sure Bob Beck will be happy to hear from you. This isn't a perfect world and we all know it. That's one reason I wrote this article. > > > This is like blaming bullet proof vests for the moron that decided to > > > wear his like a turban. :) > > > > What is it with stupid gun related examples. It's more like me > > saying "The end of bullet proof vests - Someone just realeased a > > product called "sure headshot (TM)" that gives you pretty much > > guarenteed head shot, meaning your BPV might be useful for ID'ing > > the corpse". > > I don't think so, dsniff only allows the interception when the user > allows it to happen either by ignorance or carelessness. Sort of > like wearing a bullet proof vest as a turban. Argh. I give up. > dsniff can _not_ intercept SSL/SHH when proper security measures > are taken. And how many people take those proper measures. Well maybe after readiong this article some more will. If you got a better way to educate people I'm open to suggestions. > If that's true then why not explain in a calm manner how there are > major problems if these tools aren't used carefully, instead of > sensationalizing with a headline "The End of SSL and SSH?" ? > > You know how much I love sensationalists, Kurt. I've come down > hard on false reports of vulnerabilities and sensationalistic > journalists. > > As an upcoming journalist you owe it to the community to be more > objective, educational and levelheaded with your stories. Please tell me about the factual errors/etc. As for the headline I didn't think it was sensationalistic, I think it's an honest question. SSL/SSH are far from perfect, I think we're far beyond the point where we should be looking for replacements (let's not pull a telnet here...). > bye, -Kurt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?007401c06929$68298120$ca00030a>