[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SecurityPortal re: Attacks on SSH and SSL

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: SecurityPortal re: Attacks on SSH and SSL
From: Dug Song <dugsong_(_at_)_monkey_(_dot_)_org>
Date: Mon, 18 Dec 2000 14:15:10 -0500

On Mon, Dec 18, 2000 at 10:43:51AM -0600, Mark Beihoffer wrote:

> Please comment, as OpenBSD uses SSH in the default install.
> 
> http://www.securityportal.com/cover/coverstory20001218.html

see the dsniff FAQ for background.

i disagree somewhat with what mats said - i believe you actually can
fight stupid users, if you're an experienced BOFH armed with the right
tools. :-)

for instance, this is how we used dsniff to get rid of plaintext
network authentication at CITI:

	http://www.citi.umich.edu/dsniff.html

btw, i checked the error messages OpenSSH produces in the face of a
monkey-in-the-middle attack with both Niels and Markus, and i think
they're obnoxious enough now to give even the most clueless of users
pause to consider what's actually going on when a host key changes.

this is really the best you can hope for, when our technology is so
prone to user error...

-d.

---
http://www.monkey.org/~dugsong/

References:
- SecurityPortal re: Attacks on SSH and SSL
  - From: Mark Beihoffer

Prev by Date: Re: Looking for tiny DNS server
Next by Date: Re: Samba and Windows98 Backups
Previous by thread: Re: SecurityPortal re: Attacks on SSH and SSL
Next by thread: RE: SecurityPortal re: Attacks on SSH and SSL
Index(es):
- Date
- Thread

Visit your host, monkey.org