Re: "The End of SSL and SSH?"

[Damien Miller <djm () MINDROT ORG>]

On Wed, 20 Dec 2000, Crispin Cowan wrote:

>    * SSH: punts the whole problem, and makes the users responsible
>    for initial key placement. Brilliant & lame at the same time, this
>    has allowed SSH to spread rapidly, because it is much easier to
>    install than most other secure remote access/VPN solutions. To
>    be really secure, you can sneakernet (floppy disk) your initial
>    key onto all the nodes you want. You can also punt, and use
>    insecure means to place the initial keys: SSH warns you that you're
>    subject to a man-in-the-middle attack when you do that.

OpenSSH (and maybe others) print fingerprints when previously unknown host
keys are presented. This allows for OOB veracity checking.

I have seen a few PGP signed SSH host keys and SSH host keys served from
webservers with "real" certificates, so 'cross-PKI' is another way around
the problem.

> > SSH and SSL are in my opinion poor implementations of security
> > protocols, they also lack a lot of things such as repudiation/etc.
> > To believe they are the best we can do makes me very sad. I suspect
> > in 5 years we'll talk about ssh/ssl like we talk about telnet right
> > now.
>
> They may be bad protocols (or good; I'm not a crypto protocol guy)
> but not for the reason you're presenting. The issue you bring up is
> endemic to all crypto protocols.

His argument in the case of SSL isn't even correct - CRLs and OCSP are
extant, if not pretty or widely deployed, repudiation mechanisms.

-d

--
| ``We've all heard that a million monkeys banging on | Damien Miller -
| a million typewriters will eventually reproduce the | <djm () mindrot org>
| works of Shakespeare. Now, thanks to the Internet, /
| we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org