Date: Fri, 1 Jun 2001 09:53:08 -0400 From: "Peter C. Lai" <sirmoo@cowbert.2y.net> To: <freebsd-security@FreeBSD.ORG> Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <00cc01c0eaa2$30bd7ca0$8caa6389@resnet.uconn.edu> References: <200105312300.f4VN0RD24448@cwsys.cwsent.com> <Pine.BSF.4.31.0105311621290.52261-100000@localhost> <20010601013041.A32818@area51.dk> <3B16D9C8.2F6CE52E@ursine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
usually on untrusted systems (such as a public terminal), i ssh via mindterm's java ssh client which is stored on the system that i access. It only uses SSH1 (because they haven't written an SSH2 client yet). The java applet version i'm using is unsigned, and therefore should run in it's own sandbox wrt to the java runtime that i am using. Barring a trojaned java runtime that record all keystrokes, how else is using a trusted client stored on a trusted machine from an untrusted terminal dangerous? Peter C. Lai | University of Connecticut peter.lai@uconn.edu | Undergraduate Research Assistant The information contained in this e-mail is confidential, may be privileged, and is intended only for the use of the recipient(s) named above. If you are not the intended recipient(s) or a representative(s) of the intended recipient(s), you have received this e-mail in error and must not copy, use or disclose the contents of this email to anybody else. If you have received this e-mail in error, please notify the sender immediately by return e-mail and permanently delete the copy you received. ----- Original Message ----- From: "Michael Bryan" <fbsd-secure@ursine.com> To: <freebsd-security@FreeBSD.ORG> Sent: Thursday, May 31, 2001 7:54 PM Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) > > > Alex Holst wrote: > > > > I was > > surprised when I read about the compromise, because it gives the impression > > that people are still using passwords (as opposed to keys with passphrases) > > for authentication in this day and age. Is that correct? If so, why is that? > > Yeah, I'd say it's correct. As to why, I can think of two reasons. 1) It's > easier to use ssh with passwords, and just not be "bothered" with the key > maintenance. 2) The password is sent encrypted, not in cleartext, and that > is in many people's minds one of the most important benefits of using ssh. > The extra safety of keys is just not always seen as being worth the extra > work. [And I'm not arguing either side of that issue, different people believe > or prioritize in different ways...] > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00cc01c0eaa2$30bd7ca0$8caa6389>