Bugtraq mailing list archives
Re: "The End of SSL and SSH?"
From: Samuele Giovanni Tonon <tonon () STUDENTS CS UNIBO IT>
Date: Thu, 21 Dec 2000 19:47:13 +0100
On Wed, Dec 20, 2000 at 09:01:48PM -0700, Kurt Seifried wrote:
People (ie the masses of users, you know, the people you support/etc) generally know a LOT less about security then your average Bugtraq subscriber. They by and large believe that SSL and SSH are "secure". I've had countless websites say "we are secure because we use SSL". Well I think we all know better.
that's a good point of view but if you use this point of view for all security aspects you have in informatic and in "real-life", ( e.g. your passwd on the ISP account or your pin of the C.C. or the pin of your cell phone ) you'll find there's no "secure protocol" against human stupidity/ignorance ( when all fails social engeneering works !).
The main point of the article was to let people know that SSL and SSH are far from perfect, in fact I think they are pretty poor because they rely so heavily on the end user (usually the weakest link).
you can extend this discussion to all modern crypto protocols: none seems to work against man in the middle attack or against simulating to be a man you aren't.
This wasn't to much of a problem till recently because the availability of software to execute a man in the middle attack was not to widespread. Well Dug Song changed all that with dsniff 2.3. Attackers now have to know very little to execute an attack, and in many situations they probably stand a good chance of succeding.
this is true if you think just to script-kiddie, every good programmer could do it, without telling others he did it, and use his program to spoof a lot of account. what dsniff do is to extend the number of potential attaccker to script-kiddie too: but now, all of us are warned when ssh says : hey there's a new public key .
People have mentioned /etc/hosts and known_hosts. Well tiny problem, there's this desktop OS called Windows that has like 95% of the market and as a rule of thumb the hosts file in Windows is usually non existent (as a rule the only entry by default is localhost).
that's not the point: if you were using ssh on windows but you were trojaned by netbus the attacker could just see what you were typing on your keyboard, so ssh is far to be secure if it's used on a insecure OS .
We can move the problem "back" for example by using certificates for example, in theory if I create an X.509 cert properly on my smartcard, and Verisign doesn't goof up on checking my identity then that X.509 cert is pretty secure, and now when I connect to sites capable of taking an X.509 cert as auth it's pretty safe.
how many "dummy user" do you think they'll do this when it will be avaible ? none seems to check if the cert you get from a https server is right ... do you think there won't a way to steal and clone your smart card ?? Sorry for my ugly english Samuele -- Samuele Tonon <tonon () students cs unibo it> Undergraduate Student of Computer Science at University of Bologna, Italy Linux System administrator at Computer Science Research Labs of University of Bologna, Italy Founder & Member of A.A.H.T.
Current thread:
- Re: "The End of SSL and SSH?", (continued)
- Re: "The End of SSL and SSH?" Crispin Cowan (Dec 20)
- Re: "The End of SSL and SSH?" Ajax (Dec 20)
- Re: "The End of SSL and SSH?" Eric Rescorla (Dec 21)
- Re: "The End of SSL and SSH?" Damien Miller (Dec 21)
- Re: "The End of SSL and SSH?" Ryan Russell (Dec 21)
- Re: "The End of SSL and SSH?" Michael H. Warfield (Dec 20)
- Re: "The End of SSL and SSH?" Alfred Perlstein (Dec 20)
- Re: "The End of SSL and SSH?" Perry E. Metzger (Dec 21)
- Re: "The End of SSL and SSH?" Kurt Seifried (Dec 21)
- Re: "The End of SSL and SSH?" Eric Rescorla (Dec 21)
- Re: "The End of SSL and SSH?" Samuele Giovanni Tonon (Dec 21)
- Re: "The End of SSL and SSH?" - mongo followup Kurt Seifried (Dec 24)
- Re: "The End of SSL and SSH?" Adrian Close (Dec 22)
- Re: "The End of SSL and SSH?" Darren Reed (Dec 21)
- Re: "The End of SSL and SSH?" Klaus Moeller (Dec 22)