From owner-freebsd-security Mon Dec 18 11:33:33 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 11:33:31 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.seifried.org (edtn013433.hs.telusplanet.net [161.184.218.225]) by hub.freebsd.org (Postfix) with ESMTP id 3EB2637B400 for ; Mon, 18 Dec 2000 11:33:31 -0800 (PST) Received: from seifried (unknown [10.3.0.202]) by mail.seifried.org (Postfix) with SMTP id 1BD292FC57; Mon, 18 Dec 2000 12:33:50 -0700 (MST) Message-ID: <007401c06929$68298120$ca00030a@seifried.org> Reply-To: "Kurt Seifried" From: "Kurt Seifried" To: "Alfred Perlstein" Cc: "Moses Backman III" , "Todd Backman" , References: <20001218133716.A550@cg22413-a.adubn1.nj.home.com> <20001218104954.B19572@fw.wintelcom.net> <005a01c06924$77186340$ca00030a@seifried.org> <20001218112434.C19572@fw.wintelcom.net> Subject: Re: woah Date: Mon, 18 Dec 2000 12:33:31 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > In a perfect world, you have your admin send you a pgp signed > message with the server public key in it. When you initially > authenticate, you sure as hell make sure it matches. > > Not that difficult. So you're volunteering to install PGP/GnuPG on 30,000 machines at the local university, and educate users how to use it? I'm sure Bob Beck will be happy to hear from you. This isn't a perfect world and we all know it. That's one reason I wrote this article. > > > This is like blaming bullet proof vests for the moron that decided to > > > wear his like a turban. :) > > > > What is it with stupid gun related examples. It's more like me > > saying "The end of bullet proof vests - Someone just realeased a > > product called "sure headshot (TM)" that gives you pretty much > > guarenteed head shot, meaning your BPV might be useful for ID'ing > > the corpse". > > I don't think so, dsniff only allows the interception when the user > allows it to happen either by ignorance or carelessness. Sort of > like wearing a bullet proof vest as a turban. Argh. I give up. > dsniff can _not_ intercept SSL/SHH when proper security measures > are taken. And how many people take those proper measures. Well maybe after readiong this article some more will. If you got a better way to educate people I'm open to suggestions. > If that's true then why not explain in a calm manner how there are > major problems if these tools aren't used carefully, instead of > sensationalizing with a headline "The End of SSL and SSH?" ? > > You know how much I love sensationalists, Kurt. I've come down > hard on false reports of vulnerabilities and sensationalistic > journalists. > > As an upcoming journalist you owe it to the community to be more > objective, educational and levelheaded with your stories. Please tell me about the factual errors/etc. As for the headline I didn't think it was sensationalistic, I think it's an honest question. SSL/SSH are far from perfect, I think we're far beyond the point where we should be looking for replacements (let's not pull a telnet here...). > bye, -Kurt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message