[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SecurityPortal re: Attacks on SSH and SSL



On Mon, Dec 18, 2000 at 10:43:51AM -0600, Mark Beihoffer wrote:

> Please comment, as OpenBSD uses SSH in the default install.
> 
> http://www.securityportal.com/cover/coverstory20001218.html

see the dsniff FAQ for background.

i disagree somewhat with what mats said - i believe you actually can
fight stupid users, if you're an experienced BOFH armed with the right
tools. :-)

for instance, this is how we used dsniff to get rid of plaintext
network authentication at CITI:

	http://www.citi.umich.edu/dsniff.html

btw, i checked the error messages OpenSSH produces in the face of a
monkey-in-the-middle attack with both Niels and Markus, and i think
they're obnoxious enough now to give even the most clueless of users
pause to consider what's actually going on when a host key changes.

this is really the best you can hope for, when our technology is so
prone to user error...

-d.

---
http://www.monkey.org/~dugsong/