From owner-freebsd-security  Mon Dec 18  1:38: 3 2000
From owner-freebsd-security@FreeBSD.ORG  Mon Dec 18 01:38:01 2000
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from firefly.prairienet.org (firefly.prairienet.org [192.17.3.3])
	by hub.freebsd.org (Postfix) with ESMTP id C9A0E37B402
	for <freebsd-security@FreeBSD.ORG>; Mon, 18 Dec 2000 01:38:00 -0800 (PST)
Received: from sherman.spotnet.org (slip-84.prairienet.org [192.17.3.104])
	by firefly.prairienet.org (8.9.3/8.9.3) with ESMTP id DAA26500
	for <freebsd-security@FreeBSD.ORG>; Mon, 18 Dec 2000 03:37:47 -0600 (CST)
Date: Mon, 18 Dec 2000 03:37:42 -0600 (CST)
From: David Talkington <dtalk@prairienet.org>
X-Sender:  <dtalk@sherman.spotnet.org>
Cc: <freebsd-security@FreeBSD.ORG>
Subject: Re: dsniff 2.3 info:
In-Reply-To: <20001218011320.X96105@149.211.6.64.reflexcom.com>
Message-ID: <Pine.LNX.4.30.0012180328520.933-100000@sherman.spotnet.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


Crist J. Clark wrote:

>SSH is already fixed. Earlier in the text,
>
>    SSH simply uses a secret and public key, and since they are
>    generally not signed, it is trivial for an attacker to sit in the
>    middle and intercept the connection... If you do have the server's
>    public key, you will generally receive a warning like "Warning:
>    server's key has changed. Continue?" Most users will hit Yes.
>
>No, this is not accurate in my experience. Most clients will not let
>you use a server when the key does not match unless you manually
>remove the old key from the key list. Most clients at least have BIG
>FLASHY MESSAGES telling the user that a changed key means someone
>might be doing something Very Naughty, not just a simple, "Warning:
>server's key has changed. Continue?"

SSH Communications clients (at least for Unix), both protocols, will
allow the user to accept a new key with just a keystroke.  My
experience suggests that most users won't even bat an eye at the
"SOMETHING NASTY MIGHT BE HAPPENING" message; they'll just hit "y" and
go on with their days.  Maybe the result of learning to reflexively
dismiss Microsoft's "Are you sure?"s ...

*sigh* indeed for social engineering.  We can debug code, but not
humans.

-d



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message