lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20031212223223.GA676@rek.tjls.com>
Date: Fri, 12 Dec 2003 17:32:23 -0500
From: Thor Lancelot Simon <tls@....tjls.com>
To: fw@...eb.enyo.de
Cc: aadams@...urityfocus.com, bugtraq@...urityfocus.com
Subject: SSH vs. IKE trust models (was Re: Insecure IKE Implementations Clarification)


On Fri, Dec 12, 2003 at 11:25:55PM +0100, Florian Weimer wrote:
> Thor Lancelot Simon wrote:
> 
> > Yes and no.  SSH is not, by itself, a network-layer encryption solution,
> > and there are many applications where that's really desirable.  The other
> > issue is, of course, that SSH's model for authenticating host identities
> > is, itself, a mess: in this day and age, it is not acceptable to just
> > punt on the problem of first contact and pretend that users will reasonably
> > exchange key fingerprints offline.
> 
> You don't exchange fingerprints, you just store them.  Previously, I

Indeed, and you have no way to know that you are storing the right
fingerprint.

> > The widespread success of sniffing and MITM attacks on the SSH
> > protocol -- all due to users not doing what the protocol, by omitting
> > any means of using a hierarchy or web to validate host keys, requires
> > them to do -- should be proof enough of this.
> 
> There are very few such attacks in the wild.  Most machines which do not

That's not true; such attacks have been widely documented at every recent
IETF meeting.

Nothing prevents you from using certificate-authenticated IKE the exact
same way you use your web browser: store individual host certificates,
instead of the root certificate and the DNs of the parties you expect to
connect to.  However, nothing *enables* you to use SSH with either a
hierarchical trust model (which you seem to not like) or a web-of-trust
model (ala PGP) where you decide whom to trust and how much, because
both have been proposed to the working group and both have been,
effectively, shot down.  As I said, that is very unfortunate, and the
dsniff and other attacks at recent IETF meetings and elsewhere (e.g. on
college campus networks) illustrate that real users are suffering for
it in the real world right now.

Thor


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ