Bugtraq mailing list archives
"The End of SSL and SSH?"
From: "Perry E. Metzger" <perry () PIERMONT COM>
Date: Tue, 19 Dec 2000 13:01:13 -0500
Kurt Seifried in an article on SecurityPortal shrilly entitled "The End of SSL and SSH?" claims that SSH needs a PKI to be secure. The claim is that because people have built man-in-the-middle attack software (see http://www.monkey.org/~dugsong/dsniff/) that can intercept SSH sessions, that SSH is insecure. After all, if a MITM attack happens, the user will be informed of this, and since the user can choose to ignore the warning that a host key has changed and log in, SSH must be fatally flawed. Without a PKI, Seifried claims, there is no way to know if a host key is authentic. This argument makes absolutely no sense to me. The problem is simply one of the user interface allowing a user to ignore a security failure. If a remote login utility using a PKI prompted the user with "host key is not certified, log in anyway?", it would be no better than SSH implementations. If A kerberized remote login utility prompted a user with "remote key is incorrect, log in anyway", it too would be no better. If this is truly the extent of the flaw Mr. Seifried things requires a full PKI to fix, I'd like to know why setting StrictHostKeyChecking yes isn't a near-complete fix to the "End of SSH" Mr. Seifried predicts. Perry Metzger
Current thread:
- sshmitm, webmitm Dug Song (Dec 18)
- Re: sshmitm, webmitm Samuele Giovanni Tonon (Dec 20)
- Re: sshmitm, webmitm Boris Lorenz (Dec 21)
- "The End of SSL and SSH?" Perry E. Metzger (Dec 20)
- Re: "The End of SSL and SSH?" Kurt Seifried (Dec 19)
- Re: "The End of SSL and SSH?" Perry E. Metzger (Dec 19)
- Re: "The End of SSL and SSH?" Stefan Monnier (Dec 20)
- Re: "The End of SSL and SSH?" Brett Glass (Dec 20)
- Re: "The End of SSL and SSH?" Crispin Cowan (Dec 20)
- Re: "The End of SSL and SSH?" Ajax (Dec 20)
- Re: "The End of SSL and SSH?" Eric Rescorla (Dec 21)
- Re: "The End of SSL and SSH?" Kurt Seifried (Dec 19)
- Re: "The End of SSL and SSH?" Damien Miller (Dec 21)
- Re: "The End of SSL and SSH?" Ryan Russell (Dec 21)
- Re: sshmitm, webmitm Samuele Giovanni Tonon (Dec 20)
- Re: "The End of SSL and SSH?" Michael H. Warfield (Dec 20)