[linux-elitists] telnet weenie frenzy!

Bulent Murtezaoglu bm@acm.org
Tue Feb 27 07:13:00 PST 2001


>>>>> "EL" == Eugene Leitl <Eugene.Leitl@lrz.uni-muenchen.de>

    [me] SSH is vulnerable to man-in-the-middle attacks in the deafault
    [me] config

    EL> In practice, that's a theoretical vulnerability. 

Hm.  I was just playing Devil's advocate.  The reasoning goes like
this:

Q: How do you justify presenting ftp and telnet as undiluted evil?  

A: Login info can be acquired by eavesdropping.

D: If you assume link layer is safe on either end, this eavesdropping
has to happen in the Internet at large in some intermediate router.
If your adversary has access to IP level data stream, then you're
likely to lose with ssh in default config also (man-in-the-middle).
Furthermore, given that you're most likely getting your ssh (and
other) software through the Internet, your adversary does not even
need to sniff anything...

    EL> dictionary attacks already require login compromise, 


Rick Moen corrected me on this (thanks).  The dictionary attack I had
in mind was repeatedly trying username/password pairs through the net.
I claimed ssh with user/password authentication was just as vulnerable
to this as telnet given a negligent sysadmin.  I agree that it
probably would not be practical because of the time it takes per try
(true for both though).

    EL> in
    EL> comparision to running a NIC in promiscuous mode.

If your link layer is not safe, then you have a ton of additional problems.
Disruptions and IP hijacking through creative ARPing (or creative
use of arping(8)) come to mind.  

As I said, I was just playing devil's advocate as requested.  I would
not claim to be a security expert, but it seems to me that if we'll
assume certain capabilities on the part of the probable adversaries 
to justify doing _some_ things in certain ways then we should also 
be aware of other vulnerabilities that are feasible given those 
assumptions.  If you are convinced your telnet is vulnerable, apt-get 
install ssh will not necessarily protect you.  In fact, under one
scenario where telnet is bad, apt-get would be worse!  

(note that I am not saying we shouldn't prefer shh!)

cheers,

BM



More information about the linux-elitists mailing list