[linux-elitists] telnet weenie frenzy!
Tue Feb 27 09:23:46 PST 2001
RM> Well, no. As I was saying, this hysteria about
RM> man-in-the-middle amounts to nothing more than "don't ignore
RM> any red-light warning about unexpected changes of host key"
RM> combined with the _obvious_, well-known need to deliver host
RM> keys in some out-of-band fashion.
Agreed (we agree yet the thread lives on). But the above is not the
"drop telnet switch to ssh" scenario, it is the "drop telnet, learn
about ssh and use it properly" scenario. For out-of-the-box ssh,
you will get that "change" warning if you used ssh to that host once
before. For the first connection, you'll just get asked if you'll accept
the key into the persistent host key database. Let me remind you the
context: this is a comment about a reply to someone who asks an
on-line magazine for advice about "telnet localhost" not working.
Given that, the "well known need" is not known at all.
RM> [...] Again, this isn't Devil's advocacy; it's Chicken
Not knowing what that means, I'll take your word for it! (how bad can
RM> You talk as if it were trivial to compromise the distribution
RM> channels for even careful retrievers of security software,
RM> _and_ have that remain undetected for significant periods of
RM> time. [...]
Yes, I do. But if you assume people will break into intermediate
routers and sniff your packets, it does not seem that outlandish to
suppose they can do other stuff also. Note the qualification, I am
not saying that it is trivial, I am saying that if one is easy then
the other is not hard. That's all.
RM> You will find (e.g.) that compromising either
RM> non-us.debian.org or its DNS, and remaining undetected, is
RM> seriously difficult.
Yes, but we are already assuming that it is not me who's the adversary,
it is someone who can sniff the victim's packets at the IP level through
the Internet. (Note that I attempted to cover my behind in the bits I
elided by ruling out ethernet sniffing with somewhat shakier
arguments. I agree you should go after those after coffee!)
[me] If you are convinced your telnet is vulnerable, apt-get install
[me] ssh will not necessarily protect you.
RM> As the saying goes, security is a hard problem. But I think
RM> you vastly underestimate the difficulties attackers face in
RM> the scenarios you've proposed.
You are right for the general case, but let me point out again that we
are already assuming that they have overcome some of those difficulties.
More information about the linux-elitists