From owner-freebsd-security Sun Jan 7 8:28:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtpout.kingston-internet.net (smtpout.kingston-internet.co.uk [212.50.161.69]) by hub.freebsd.org (Postfix) with ESMTP id 1CBD337B698 for ; Sun, 7 Jan 2001 08:27:20 -0800 (PST) Received: from dialup99.manuel.kingston-internet.net ([212.50.176.99] helo=pmason.karoo.co.uk) by smtpout.kingston-internet.net with smtp (Exim 2.12 #8) id 14FIf6-0007P2-00 for security@FreeBSD.ORG; Sun, 7 Jan 2001 16:27:18 +0000 Date: Sun, 7 Jan 2001 16:27:00 -0000 From: **1st Vamp** Reply-To: **1st Vamp** To: security@FreeBSD.ORG Subject: Re: Antisniffer measures (digest of posts) X-Mailer: AK-Mail 3.1 publicbeta2a [eng] (unregistered) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org True, very valid points, that's what I get for replying to mailing lists when I'm barely awake from a long night of revision. - Vamp : On Sun, 7 Jan 2001, **1st Vamp** wrote: :> To: Wes Peters :> Date: 07/01/2001, 12:45:09 :> Subject: Re: Antisniffer measures (digest of posts) :> :> Technically any SSL enabled telnet client wouldn't be that different from :> using a normal telnet client through an SSL tunnel, such as stunnel, :> although some bugs have been found in recent ports, and this is :> technically :> no more secure than plain old SSH. : I'm not sure I follow your argument -- if the SSL telnet properly : evaluates X.509 certificates, and has preconfigured, trusted roots, then : an SSL telnet does offer something that SSH does not have: the ability to : connect to a new host without a manual keying procedure. Given that the : weakness currently widely touted as existing in SSH is really a failure to : provide an automatic keying procedure (and users not knowing how to deal : with that), it seems to be the case that in that regard, it really *is* : more secure than plain old SSH. Now, at least some of the SSL clients out : there actually don't do this: for example, last time I looked at pine-SSL : (a while ago), it performed no certificate checking, meaning it was quite : subject to a man-in-the-middle attack, and unlike most versions of SSH, : would not display any warning indicating the potential for one. However, a : properly written and configured SSL client should not do this. : Robert N M Watson FreeBSD Core Team, TrustedBSD Project : robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message