Interesting People mailing list archives
IP: more on SSH: an ineffectual "feel-good" security measure -- from risks
From: David Farber <farber () cis upenn edu>
Date: Sat, 15 Jan 2000 21:32:35 -0500
-----Original Message----- From: Perry E. Metzger [mailto:perry () piermont com] Sent: Saturday, January 15, 2000 9:27 PM To: farber () cis upenn edu For IP. Dave Farber <farber () cis upenn edu> writes:
Date: Mon, 20 Dec 1999 00:34:14 -0700 From: "Schlake ( William Colburn )" <schlake () nmt edu> When I first read the report of RST breaking the netscape algorithm I was caught up in the moment. Netscape should have known better than do something so foolish! Then I read the next comp.risks and I felt like a fool. There is a great risk in pretending to have security when you really have none. I think many people believe that ssh protects them from wrong-doers, and that nothing bad can happen to them if they use ssh. The authors of the Internet Auditing Project(1) have a good story to tell about ssh, as do
the
people who run the web site for rootshell.org(2). Some sys-admins here at work are rabid about ssh. They have disabled telnet and rlogin for "security" reasons, and naively believe that ssh is somehow more secure.
As an early SSH proponent and chair of the IETF working group that is standardizing it, let me say that most of what this article has to say is ridiculous. Telnet and rlogin are *far* less secure than SSH. SSH doesn't just protect the data stream for the duration of your connection (which neither telnet nor rlogin do), but also can provide cryptographic credentials for login -- which are far more secure than passwords and such. It is true that you can set SSH to use passwords instead of RSA keys, but if you do that, you're an adult who presumably knows what they're doing (and you are certainly better off than you were otherwise since at least the passwords won't be going in the clear). It is true that rootshell.org was once broken into, but in spite of claims made at the time, no evidence ever emerged that SSH flaws had anything at all to do with it.
Ssh protects the data stream between two secure machines. Anyone sitting between the two machines can't tell what is going on in the ssh stream because of the encryption. The risk to the user is assuming that either
end
is secure.
Well, yeah. If you are logging in to a broken machine, its already broken, and if you log in to a machine from a machine that has been broken, you're giving the machine you're logging in to to the people that broke the machine you're coming from. Big deal. That doesn't mean SSH is no better than telnet or rlogin. It means that SSH isn't a miracle cure for everything from foot fungus to the common cold. It just does one thing, and does it well -- protecting your session.
If no one has compromised my system, then it is safe to use telnet to
login
between machines.
No, it isn't. Someone can (*and these days will*) tap your connection, grab your password, and log in later. He might also these days simply seize control of your TCP session (there are nice toolkits for this out there) and that's the end of your security on the destination box.
Where am I going to find a secure machine outside my network? I bet there are lots of secure machines all over the place, but I will never know
which
ones they are. If security is really important to me, I will never log in to any computer from any other computer I don't own (and hence trust) myself. That means I that if I need to login to work when I am off site, that I need to have my own laptop that I keep powered down, encased in cement, buried in a vault, and guarded by an army (and even then can I really be sure it is secure)?
This is like saying "I can't perfectly secure my home, so I'm going to leave the doors and windows open", or "I can't be perfectly safe in my car, so I won't wear a seatbelt". Security is always a question of economics. You decide how safe you need to be as a tradeoff against cost and convenience and live with that. This is different from saying "SSH is useless". .pm
Current thread:
- IP: more on SSH: an ineffectual "feel-good" security measure -- from risks David Farber (Jan 15)