Date: Fri, 5 Jan 2001 13:25:13 -0700 (MST) From: "David G. Andersen" <dga@pobox.com> To: matrix@ipform.ru (Artem Koutchine) Cc: dga@pobox.com (David G. Andersen), security@FreeBSD.ORG, questions@FreeBSD.ORG Subject: Re: Antisniffer measures (digest of posts) Message-ID: <200101052025.NAA01074@faith.cs.utah.edu> In-Reply-To: <002f01c07753$af808400$0c00a8c0@ipform.ru> from "Artem Koutchine" at Jan 05, 2001 11:11:25 PM
next in thread | previous in thread | raw e-mail | index | archive | help
Lo and behold, Artem Koutchine once said:
> >
> > IPsec. IPsec. IPsec. FreeBSD, Linux, Win2k support it. Don't know
> > about MacOS. Doubt it until OSX, but I could be wrong. This is the
> > better solution.
>
> Well, then i need IPSec for WIn9x, NT 4.x and ME too. Is there?
I don't know. You're asking on the FreeBSD mailing lists.
> > A final solution is simply to encrypt all sensitive traffic at the
> > application layer. Use SSL for http/pop3/etc. Use SSH for remote
> > access. Etc. Not perfect, but works.
>
> Nope, dsniff breaks SSL and SSH1.
Dsniff helps break improperly used and configured SSL and SSH. As a
blanket statement, what you said is incorrect. If you securely distribute
the public keys of the other machines to /etc/ssh/ssh_known_hosts{2}
and set StrictHostKeyChecking, you'll be fine, unless you have users who
deliberately try to circumvent security. But that's a different problem
entirely.
-Dave
--
work: dga@lcs.mit.edu me: dga@pobox.com
MIT Laboratory for Computer Science http://www.angio.net/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200101052025.NAA01074>