[linux-elitists] telnet weenie frenzy!
Tue Feb 27 08:36:18 PST 2001
begin Bulent Murtezaoglu quotation:
> D: If you assume link layer is safe on either end, this eavesdropping
> has to happen in the Internet at large in some intermediate router.
> If your adversary has access to IP level data stream, then you're
> likely to lose with ssh in default config also (man-in-the-middle).
Well, no. As I was saying, this hysteria about man-in-the-middle
amounts to nothing more than "don't ignore any red-light warning
about unexpected changes of host key" combined with the _obvious_,
well-known need to deliver host keys in some out-of-band fashion.
The fact that one semi-clued "security expert" saw fit to characterise
this situation as a "vulnerability" doesn't make it so.
> Furthermore, given that you're most likely getting your ssh (and
> other) software through the Internet, your adversary does not even
> need to sniff anything...
Again, this isn't Devil's advocacy; it's Chicken Little-ism. You talk
as if it were trivial to compromise the distribution channels for
even careful retrievers of security software, _and_ have that remain
undetected for significant periods of time. You will find (e.g.) that
compromising either non-us.debian.org or its DNS, and remaining
undetected, is seriously difficult.
> Rick Moen corrected me on this (thanks). The dictionary attack I had
> in mind was repeatedly trying username/password pairs through the net.
> I claimed ssh with user/password authentication was just as vulnerable
> to this as telnet given a negligent sysadmin. I agree that it
> probably would not be practical because of the time it takes per try
> (true for both though).
It is true for both, but not _equally_ true: Remote dictionary attacks
against an sshd would take vastly longer, because of the crypto
> If your link layer is not safe, then you have a ton of additional problems.
> Disruptions and IP hijacking through creative ARPing (or creative
> use of arping(8)) come to mind.
I should probably not attempt to parse and analyse this until after I've
had my morning coffee.
> If you are convinced your telnet is vulnerable, apt-get install ssh
> will not necessarily protect you.
As the saying goes, security is a hard problem. But I think you vastly
underestimate the difficulties attackers face in the scenarios you've
Cheers, We write precisely We say exactly
Rick Moen Since such is our habit in How to do a thing or how
email@example.com Talking to machines; Every detail works.
Excerpt from Prof. Touretzky's decss-haiku.txt @ http://www.cs.cmu.edu/~dst/
More information about the linux-elitists