Bugtraq mailing list archives
Re: Insecure IKE Implementations Clarification
From: Florian Weimer <fw () deneb enyo de>
Date: Fri, 12 Dec 2003 23:25:55 +0100
Thor Lancelot Simon wrote:
Yes and no. SSH is not, by itself, a network-layer encryption solution, and there are many applications where that's really desirable. The other issue is, of course, that SSH's model for authenticating host identities is, itself, a mess: in this day and age, it is not acceptable to just punt on the problem of first contact and pretend that users will reasonably exchange key fingerprints offline.
You don't exchange fingerprints, you just store them. Previously, I thought that to be risky, but after having seen too many failed PKIs implemented according to the text books, I'm no longer sure if the SSH approach is so ugly. FWIW, I have removed all CA certificates from my web browser and store all web site certificates permanently. According to my threat model (which involves greedy CAs issuing certificates after superficial checks), this will catch a few attacks.
The widespread success of sniffing and MITM attacks on the SSH protocol -- all due to users not doing what the protocol, by omitting any means of using a hierarchy or web to validate host keys, requires them to do -- should be proof enough of this.
There are very few such attacks in the wild. Most machines which do not already have the keys I need and which are in an environment especially prone to MITM attacks are not exactly trustworthy, either, so I don't lose much. In fact, there is not much choice because it's impossible to roll out root CA keys for SSH server authentication. There's no widely used proprietary implementation that could essentially control the root CA set (as it happened with the web browser PKI). However, in the Cisco VPN case, the issue is moot. You can easily distribute the concentrator certificate or fingerprint along the client software and configuration. You already need a secure channel for that anyway.
Current thread:
- Re: Insecure IKE Implementations Clarification Thor Lancelot Simon (Dec 12)
- Re: Insecure IKE Implementations Clarification Florian Weimer (Dec 13)
- Re: Insecure IKE Implementations Clarification Thor Lancelot Simon (Dec 13)
- Re: Insecure IKE Implementations Clarification Florian Weimer (Dec 13)
- Re: Insecure IKE Implementations Clarification Thor Lancelot Simon (Dec 13)
- Re: Insecure IKE Implementations Clarification Florian Weimer (Dec 13)
- SSH vs. IKE trust models (was Re: Insecure IKE Implementations Clarification) Thor Lancelot Simon (Dec 13)
- Re: SSH vs. IKE trust models (was Re: Insecure IKE Implementations Clarification) Florian Weimer (Dec 13)
- Re: SSH vs. IKE trust models (was Re: Insecure IKE Implementations Clarification) Jimi Thompson (Dec 15)
- Re: Insecure IKE Implementations Clarification Thor Lancelot Simon (Dec 13)
- Re: Insecure IKE Implementations Clarification Florian Weimer (Dec 13)
- Re: Insecure IKE Implementations Clarification Jun-ichiro itojun Hagino (Dec 13)