From owner-freebsd-security  Sun Jan  7  8:21:49 2001
Delivered-To: freebsd-security@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP id C9FC537B400
	for <security@FreeBSD.ORG>; Sun,  7 Jan 2001 08:21:29 -0800 (PST)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.11.1/8.11.1) with SMTP id f07GLG728317;
	Sun, 7 Jan 2001 11:21:17 -0500 (EST)
	(envelope-from robert@fledge.watson.org)
Date: Sun, 7 Jan 2001 11:21:16 -0500 (EST)
From: Robert Watson <rwatson@FreeBSD.ORG>
X-Sender: robert@fledge.watson.org
To: **1st Vamp** <wes@pmason.karoo.co.uk>
Cc: security@FreeBSD.ORG
Subject: Re: Fw: Re: Antisniffer measures (digest of posts)
In-Reply-To: <E14FFLX-0003ok-00@smtpout.kingston-internet.net>
Message-ID: <Pine.NEB.3.96L.1010107111516.27948D-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sun, 7 Jan 2001, **1st Vamp** wrote:

>      To: Wes Peters <wes@softweyr.com>
>    Date: 07/01/2001, 12:45:09
> Subject: Re: Antisniffer measures (digest of posts)
> 
> Technically any SSL enabled telnet client wouldn't be that different from
> using a normal telnet client through an SSL tunnel, such as stunnel,
> although some bugs have been found in recent ports, and this is technically
> no more secure than plain old SSH.

I'm not sure I follow your argument -- if the SSL telnet properly
evaluates X.509 certificates, and has preconfigured, trusted roots, then
an SSL telnet does offer something that SSH does not have: the ability to
connect to a new host without a manual keying procedure.  Given that the
weakness currently widely touted as existing in SSH is really a failure to
provide an automatic keying procedure (and users not knowing how to deal
with that), it seems to be the case that in that regard, it really *is*
more secure than plain old SSH.  Now, at least some of the SSL clients out
there actually don't do this: for example, last time I looked at pine-SSL
(a while ago), it performed no certificate checking, meaning it was quite
subject to a man-in-the-middle attack, and unlike most versions of SSH,
would not display any warning indicating the potential for one. However, a
properly written and configured SSL client should not do this. 

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org      NAI Labs, Safeport Network Services




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message