IP: more on SSH: an ineffectual "feel-good" security measure -- from risks

[David Farber <farber () cis upenn edu>]

-----Original Message-----
From: Perry E. Metzger [mailto:perry () piermont com]
Sent: Saturday, January 15, 2000 9:27 PM
To: farber () cis upenn edu




For IP.

Dave Farber <farber () cis upenn edu> writes:

> Date: Mon, 20 Dec 1999 00:34:14 -0700
> From: "Schlake ( William Colburn )" <schlake () nmt edu>
>
>
> When I first read the report of RST breaking the netscape algorithm I was
> caught up in the moment. Netscape should have known better than do
> something so foolish! Then I read the next comp.risks and I felt like a
> fool. There is a great risk in pretending to have security when you really
> have none.
> I think many people believe that ssh protects them from wrong-doers, and
> that nothing bad can happen to them if they use ssh. The authors of the
> Internet Auditing Project(1) have a good story to tell about ssh, as do
the
> people who run the web site for rootshell.org(2). Some sys-admins here at
> work are rabid about ssh. They have disabled telnet and rlogin for
> "security" reasons, and naively believe that ssh is somehow more secure.

As an early SSH proponent and chair of the IETF working group that is
standardizing it, let me say that most of what this article has to say
is ridiculous.

Telnet and rlogin are *far* less secure than SSH. SSH doesn't just
protect the data stream for the duration of your connection (which
neither telnet nor rlogin do), but also can provide cryptographic
credentials for login -- which are far more secure than passwords and
such. It is true that you can set SSH to use passwords instead of RSA
keys, but if you do that, you're an adult who presumably knows what
they're doing (and you are certainly better off than you were
otherwise since at least the passwords won't be going in the clear).

It is true that rootshell.org was once broken into, but in spite of
claims made at the time, no evidence ever emerged that SSH flaws had
anything at all to do with it.

> Ssh protects the data stream between two secure machines. Anyone sitting
> between the two machines can't tell what is going on in the ssh stream
> because of the encryption. The risk to the user is assuming that either
end
> is secure.

Well, yeah. If you are logging in to a broken machine, its already
broken, and if you log in to a machine from a machine that has been
broken, you're giving the machine you're logging in to to the people
that broke the machine you're coming from. Big deal.  That doesn't
mean SSH is no better than telnet or rlogin. It means that SSH isn't a
miracle cure for everything from foot fungus to the common cold. It
just does one thing, and does it well -- protecting your session.

> If no one has compromised my system, then it is safe to use telnet to
login
> between machines.

No, it isn't. Someone can (*and these days will*) tap your connection,
grab your password, and log in later. He might also these days simply
seize control of your TCP session (there are nice toolkits for this
out there) and that's the end of your security on the destination box.

> Where am I going to find a secure machine outside my network? I bet there
> are lots of secure machines all over the place, but I will never know
which
> ones they are. If security is really important to me, I will never log in
> to any computer from any other computer I don't own (and hence trust)
> myself. That means I that if I need to login to work when I am off site,
> that I need to have my own laptop that I keep powered down, encased in
> cement, buried in a vault, and guarded by an army (and even then can I
> really be sure it is secure)?

This is like saying "I can't perfectly secure my home, so I'm going to
leave the doors and windows open", or "I can't be perfectly safe in my
car, so I won't wear a seatbelt".

Security is always a question of economics. You decide how safe you
need to be as a tradeoff against cost and convenience and live with
that. This is different from saying "SSH is useless".

.pm