Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 18 Dec 2000 18:36:06 -0700
From:      Wes Peters <wes@softweyr.com>
To:        David Talkington <dtalk@prairienet.org>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: dsniff 2.3 info:
Message-ID:  <3A3EBB86.3F1AD9EC@softweyr.com>
References:  <Pine.LNX.4.30.0012180328520.933-100000@sherman.spotnet.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

David Talkington wrote:
> 
> Crist J. Clark wrote:
> 
> >SSH is already fixed. Earlier in the text,
> >
> >    SSH simply uses a secret and public key, and since they are
> >    generally not signed, it is trivial for an attacker to sit in the
> >    middle and intercept the connection... If you do have the server's
> >    public key, you will generally receive a warning like "Warning:
> >    server's key has changed. Continue?" Most users will hit Yes.
> >
> >No, this is not accurate in my experience. Most clients will not let
> >you use a server when the key does not match unless you manually
> >remove the old key from the key list. Most clients at least have BIG
> >FLASHY MESSAGES telling the user that a changed key means someone
> >might be doing something Very Naughty, not just a simple, "Warning:
> >server's key has changed. Continue?"
> 
> SSH Communications clients (at least for Unix), both protocols, will
> allow the user to accept a new key with just a keystroke.  My
> experience suggests that most users won't even bat an eye at the
> "SOMETHING NASTY MIGHT BE HAPPENING" message; they'll just hit "y" and
> go on with their days.  Maybe the result of learning to reflexively
> dismiss Microsoft's "Are you sure?"s ...
> 
> *sigh* indeed for social engineering.  We can debug code, but not
> humans.

Sounds like it's time for:

	Warning: the security credentials for this server have changed.
	Enter any 11-digit prime number to continue: ___________

-- 
            "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                         Softweyr LLC
wes@softweyr.com                                           http://softweyr.com/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A3EBB86.3F1AD9EC>