[linux-elitists] telnet weenie frenzy!

Bulent Murtezaoglu bm@acm.org
Tue Feb 27 09:23:46 PST 2001


[..]
    RM> Well, no.  As I was saying, this hysteria about
    RM> man-in-the-middle amounts to nothing more than "don't ignore
    RM> any red-light warning about unexpected changes of host key"
    RM> combined with the _obvious_, well-known need to deliver host
    RM> keys in some out-of-band fashion.

Agreed (we agree yet the thread lives on).  But the above is not the 
"drop telnet switch to ssh" scenario, it is the "drop telnet, learn
about ssh and use it properly" scenario.  For out-of-the-box ssh,
you will get that "change" warning if you used ssh to that host once
before.  For the first connection, you'll just get asked if you'll accept
the key into the persistent host key database.  Let me remind you the
context: this is a comment about a reply to someone who asks an
on-line magazine for advice about "telnet localhost" not working.
Given that, the "well known need" is not known at all.

    RM> [...] Again, this isn't Devil's advocacy; it's Chicken
    RM> Little-ism.

Not knowing what that means, I'll take your word for it!  (how bad can
it be?)

    RM> You talk as if it were trivial to compromise the distribution
    RM> channels for even careful retrievers of security software,
    RM> _and_ have that remain undetected for significant periods of
    RM> time.  [...]

Yes, I do.  But if you assume people will break into intermediate
routers and sniff your packets, it does not seem that outlandish to
suppose they can do other stuff also.  Note the qualification, I am
not saying that it is trivial, I am saying that if one is easy then 
the other is not hard.  That's all.

    RM> You will find (e.g.) that compromising either
    RM> non-us.debian.org or its DNS, and remaining undetected, is
    RM> seriously difficult.

Yes, but we are already assuming that it is not me who's the adversary,
it is someone who can sniff the victim's packets at the IP level through
the Internet.  (Note that I attempted to cover my behind in the bits I 
elided by ruling out ethernet sniffing with somewhat shakier
arguments.  I agree you should go after those after coffee!)

    [me] If you are convinced your telnet is vulnerable, apt-get install
    [me] ssh will not necessarily protect you.

    RM> As the saying goes, security is a hard problem.  But I think
    RM> you vastly underestimate the difficulties attackers face in
    RM> the scenarios you've proposed. 

You are right for the general case, but let me point out again that we
are already assuming that they have overcome some of those difficulties.

cheers,

BM



More information about the linux-elitists mailing list