Bugtraq mailing list archives
Re: "The End of SSL and SSH?"
From: Kurt Seifried <seifried () securityportal com>
Date: Tue, 19 Dec 2000 11:33:56 -0700
It is also incredibly difficult for users to ascertain whether the key is legit or not. I've had some people suggest that all the SSH keys be PGP signed and put on floppy and given to users (that one made me laugh). Most users will happily accept SSL certs that have expired, point to the wrong site or are self signed (all of which could be a man in the middle attack or a lazy admin). I used to religously sign email's with PGP until I realized that no-one probably checked, how did I know this? I started modifying the email after signing so that it wouldn't verify, no-one ever complained. SSH and SSL are in my opinion poor implementations of security protocols, they also lack a lot of things such as repudiation/etc. To believe they are the best we can do makes me very sad. I suspect in 5 years we'll talk about ssh/ssl like we talk about telnet right now.
Perry Metzger
-Kurt
Current thread:
- sshmitm, webmitm Dug Song (Dec 18)
- Re: sshmitm, webmitm Samuele Giovanni Tonon (Dec 20)
- Re: sshmitm, webmitm Boris Lorenz (Dec 21)
- "The End of SSL and SSH?" Perry E. Metzger (Dec 20)
- Re: "The End of SSL and SSH?" Kurt Seifried (Dec 19)
- Re: "The End of SSL and SSH?" Perry E. Metzger (Dec 19)
- Re: "The End of SSL and SSH?" Stefan Monnier (Dec 20)
- Re: "The End of SSL and SSH?" Brett Glass (Dec 20)
- Re: "The End of SSL and SSH?" Crispin Cowan (Dec 20)
- Re: "The End of SSL and SSH?" Ajax (Dec 20)
- Re: "The End of SSL and SSH?" Eric Rescorla (Dec 21)
- Re: "The End of SSL and SSH?" Kurt Seifried (Dec 19)
- Re: "The End of SSL and SSH?" Damien Miller (Dec 21)
- Re: "The End of SSL and SSH?" Ryan Russell (Dec 21)
- Re: sshmitm, webmitm Samuele Giovanni Tonon (Dec 20)
- Re: "The End of SSL and SSH?" Michael H. Warfield (Dec 20)