Date: Mon, 18 Dec 2000 18:36:06 -0700 From: Wes Peters <wes@softweyr.com> To: David Talkington <dtalk@prairienet.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: dsniff 2.3 info: Message-ID: <3A3EBB86.3F1AD9EC@softweyr.com> References: <Pine.LNX.4.30.0012180328520.933-100000@sherman.spotnet.org>
next in thread | previous in thread | raw e-mail | index | archive | help
David Talkington wrote: > > Crist J. Clark wrote: > > >SSH is already fixed. Earlier in the text, > > > > SSH simply uses a secret and public key, and since they are > > generally not signed, it is trivial for an attacker to sit in the > > middle and intercept the connection... If you do have the server's > > public key, you will generally receive a warning like "Warning: > > server's key has changed. Continue?" Most users will hit Yes. > > > >No, this is not accurate in my experience. Most clients will not let > >you use a server when the key does not match unless you manually > >remove the old key from the key list. Most clients at least have BIG > >FLASHY MESSAGES telling the user that a changed key means someone > >might be doing something Very Naughty, not just a simple, "Warning: > >server's key has changed. Continue?" > > SSH Communications clients (at least for Unix), both protocols, will > allow the user to accept a new key with just a keystroke. My > experience suggests that most users won't even bat an eye at the > "SOMETHING NASTY MIGHT BE HAPPENING" message; they'll just hit "y" and > go on with their days. Maybe the result of learning to reflexively > dismiss Microsoft's "Are you sure?"s ... > > *sigh* indeed for social engineering. We can debug code, but not > humans. Sounds like it's time for: Warning: the security credentials for this server have changed. Enter any 11-digit prime number to continue: ___________ -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A3EBB86.3F1AD9EC>