[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pf configuration
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: pf configuration
- From: Lars Hansson <lars_(_at_)_unet_(_dot_)_net_(_dot_)_ph>
- Date: Wed, 4 Sep 2002 14:21:51 +0759
On Wed, 4 Sep 2002 15:36:00 +1000 (Australia/ACT)
Darren Reed <avalon_(_at_)_coombs_(_dot_)_anu_(_dot_)_edu_(_dot_)_au> wrote:
> I'm surprised that anyone, after the previous happenings of this year,
> thinks that OpenSSH is the pinacle of security and cannot be defeated.
Anyone who EVER thought so should not be working in this field.
In fact, anyone who thinks ANY software is undefeatable is completely and
> This is not to insult OpenSSH but merely a recognition that it is an
> extremely complex application with external dependencies on similarly
> complex software. Much more so than telnet/rsh/rlogin.
Any modern car with numerous safety and security measures is more complex than
an old T-Ford. That doesnt mean the T-Ford would be the most secure vehicle
on the roads today.
> Given all of this, to see someone come out and say they're not allowing
> ssh because they don't believe it is secure should not be surprising to
> anyone, unless they have either been living under a rock or just plain
> refuse to believe that may still be more problems, undisovered.
Of course there are undiscovered problems. It is not possible to create flawless
software, with the possible exception of "Hello World".
> The choice of telnet to replace it is questionable, but maybe they're more
> confident about the security risks of using it vs OpenSSH.
The logical next step would of course be to stop using SSL for sensitive web
applications since there was a bug in OpenSSL and hey, that must mean that plain
old http is much more secure.
It is not a logical (or competent) decision. The fact that secure application X
has had a flaw does not make the insecure applicaton Y a better choice.
It would be different if instead of OpenSSH you would choose some other SSH product
but that's not the issue here.