From owner-freebsd-questions  Fri Jan  5 12:25:32 2001
From owner-freebsd-questions@FreeBSD.ORG  Fri Jan  5 12:25:28 2001
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108])
	by hub.freebsd.org (Postfix) with ESMTP
	id 94A7037B400; Fri,  5 Jan 2001 12:25:27 -0800 (PST)
Received: (from danderse@localhost)
	by faith.cs.utah.edu (8.9.3/8.9.3) id NAA01074;
	Fri, 5 Jan 2001 13:25:14 -0700 (MST)
Message-Id: <200101052025.NAA01074@faith.cs.utah.edu>
Subject: Re: Antisniffer measures (digest of posts)
To: matrix@ipform.ru (Artem Koutchine)
Date: Fri, 5 Jan 2001 13:25:13 -0700 (MST)
Cc: dga@pobox.com (David G. Andersen), security@FreeBSD.ORG,
	questions@FreeBSD.ORG
In-Reply-To: <002f01c07753$af808400$0c00a8c0@ipform.ru> from "Artem Koutchine" at Jan 05, 2001 11:11:25 PM
From: "David G. Andersen" <dga@pobox.com>
X-Mailer: ELM [version 2.5 PL2]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: danderse@cs.utah.edu
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Lo and behold, Artem Koutchine once said:
> > 
> >   IPsec.  IPsec.  IPsec.  FreeBSD, Linux, Win2k support it.  Don't know
> > about MacOS.  Doubt it until OSX, but I could be wrong.  This is the
> > better solution.
> 
> Well, then i need IPSec for WIn9x, NT 4.x and ME too. Is there?

  I don't know.  You're asking on the FreeBSD mailing lists.

> >   A final solution is simply to encrypt all sensitive traffic at the
> > application layer.  Use SSL for http/pop3/etc.  Use SSH for remote
> > access.  Etc.  Not perfect, but works.
> 
> Nope, dsniff breaks SSL and SSH1.

  Dsniff helps break improperly used and configured SSL and SSH.  As a
blanket statement, what you said is incorrect.  If you securely distribute
the public keys of the other machines to /etc/ssh/ssh_known_hosts{2}
and set StrictHostKeyChecking, you'll be fine, unless you have users who
deliberately try to circumvent security.  But that's a different problem
entirely.

  -Dave

-- 
work: dga@lcs.mit.edu                          me:  dga@pobox.com
      MIT Laboratory for Computer Science           http://www.angio.net/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message