Re: Insecure IKE Implementations Clarification

[itojun () itojun org (Jun-ichiro itojun Hagino)]

> On Fri, Dec 12, 2003 at 11:00:31PM +0100, Florian Weimer wrote:
> > Thor Lancelot Simon wrote:
> >
> > > For what it's worth, the possibility of this general type of attack was
> > > repeatedly discussed in the IPsec working group and is a major reason
> > > why XAUTH was abandoned.  The particular password-stealing attack that I 
> > > describe as been widely discussed among IKE implementors for at least two
> > > years; other implementors probably independently noticed it at least as
> > > early as I did, which was three years ago.
> >
> > And we have technology deployed that solves exactly the same problem in
> > a reasonable way: SSH.
>
> Yes and no.  SSH is not, by itself, a network-layer encryption solution,
> and there are many applications where that's really desirable.  The other
> issue is, of course, that SSH's model for authenticating host identities
> is, itself, a mess: in this day and age, it is not acceptable to just
> punt on the problem of first contact and pretend that users will reasonably
> exchange key fingerprints offline.  The widespread success of sniffing
> and MITM attacks on the SSH protocol -- all due to users not doing what
> the protocol, by omitting any means of using a hierarchy or web to validate
> host keys, requires them to do -- should be proof enough of this.

        there are efforts; draft-ietf-secsh-dns-05.txt.

itojun