Date: Mon, 18 Dec 2000 01:13:20 -0800 From: "Crist J. Clark" <cjclark@reflexnet.net> To: Todd Backman <todd@flyingcroc.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: dsniff 2.3 info: Message-ID: <20001218011320.X96105@149.211.6.64.reflexcom.com> In-Reply-To: <Pine.BSF.4.21.0012172347240.48779-100000@security1.noc.flyingcroc.net>; from todd@flyingcroc.net on Sun, Dec 17, 2000 at 11:48:55PM -0800 References: <Pine.BSF.4.21.0012172347240.48779-100000@security1.noc.flyingcroc.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Dec 17, 2000 at 11:48:55PM -0800, Todd Backman wrote: > > FYI: > > The End of SSL and SSH? > > Yesterday, dsniff 2.3 was released. Why is this important, you ask? dsniff > 2.3 allows you to exploit several fundamental flaws in two extremely > popular encryption protocols, SSL and SSH. SSL and SSH are used to protect > a large amount of network traffic, from financial transactions with online > banks and stock trading sites to network administrator access to secured > hosts holding extremely sensitive data. Could this singal the end of SSH > or SSL? > > Read the full story here: > http://securityportal.com/cover/coverstory20001218.html *sigh* Nothing new. Well known man-in-the-middle attacks. From the text, What Can You Do about This? Ignoring the problem might be one response, but that probably won't work in the long run. Without major restructuring of the SSH and SSL protocols, there is very little that can be done to "fix" them. The best course of action is to educate users to the dangers that attackers pose, and how to recognize when an attack may be taking place. SSH is already fixed. Earlier in the text, SSH simply uses a secret and public key, and since they are generally not signed, it is trivial for an attacker to sit in the middle and intercept the connection... If you do have the server's public key, you will generally receive a warning like "Warning: server's key has changed. Continue?" Most users will hit Yes. No, this is not accurate in my experience. Most clients will not let you use a server when the key does not match unless you manually remove the old key from the key list. Most clients at least have BIG FLASHY MESSAGES telling the user that a changed key means someone might be doing something Very Naughty, not just a simple, "Warning: server's key has changed. Continue?" For example, OpenSSH will say, @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. Please contact your system administrator. Add correct host key in /usr/home/user/.ssh/known_hosts to get rid of this message. RSA host key for server.wherever.org has changed and you have requested strict checking. And quit, if strict checking (the default) is on. Just as the demise of telnet was greatly exagerated by the widespread availability of tools like hunt, sniffit, et al., dsniff is not going to make SSH or SSL obsolete. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001218011320.X96105>