Date: Mon, 18 Dec 2000 03:37:42 -0600 (CST) From: David Talkington <dtalk@prairienet.org> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: dsniff 2.3 info: Message-ID: <Pine.LNX.4.30.0012180328520.933-100000@sherman.spotnet.org> In-Reply-To: <20001218011320.X96105@149.211.6.64.reflexcom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Crist J. Clark wrote: >SSH is already fixed. Earlier in the text, > > SSH simply uses a secret and public key, and since they are > generally not signed, it is trivial for an attacker to sit in the > middle and intercept the connection... If you do have the server's > public key, you will generally receive a warning like "Warning: > server's key has changed. Continue?" Most users will hit Yes. > >No, this is not accurate in my experience. Most clients will not let >you use a server when the key does not match unless you manually >remove the old key from the key list. Most clients at least have BIG >FLASHY MESSAGES telling the user that a changed key means someone >might be doing something Very Naughty, not just a simple, "Warning: >server's key has changed. Continue?" SSH Communications clients (at least for Unix), both protocols, will allow the user to accept a new key with just a keystroke. My experience suggests that most users won't even bat an eye at the "SOMETHING NASTY MIGHT BE HAPPENING" message; they'll just hit "y" and go on with their days. Maybe the result of learning to reflexively dismiss Microsoft's "Are you sure?"s ... *sigh* indeed for social engineering. We can debug code, but not humans. -d To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.30.0012180328520.933-100000>