Date: Sun, 7 Jan 2001 11:21:16 -0500 (EST) From: Robert Watson <rwatson@FreeBSD.ORG> To: **1st Vamp** <wes@pmason.karoo.co.uk> Cc: security@FreeBSD.ORG Subject: Re: Fw: Re: Antisniffer measures (digest of posts) Message-ID: <Pine.NEB.3.96L.1010107111516.27948D-100000@fledge.watson.org> In-Reply-To: <E14FFLX-0003ok-00@smtpout.kingston-internet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 7 Jan 2001, **1st Vamp** wrote: > To: Wes Peters <wes@softweyr.com> > Date: 07/01/2001, 12:45:09 > Subject: Re: Antisniffer measures (digest of posts) > > Technically any SSL enabled telnet client wouldn't be that different from > using a normal telnet client through an SSL tunnel, such as stunnel, > although some bugs have been found in recent ports, and this is technically > no more secure than plain old SSH. I'm not sure I follow your argument -- if the SSL telnet properly evaluates X.509 certificates, and has preconfigured, trusted roots, then an SSL telnet does offer something that SSH does not have: the ability to connect to a new host without a manual keying procedure. Given that the weakness currently widely touted as existing in SSH is really a failure to provide an automatic keying procedure (and users not knowing how to deal with that), it seems to be the case that in that regard, it really *is* more secure than plain old SSH. Now, at least some of the SSL clients out there actually don't do this: for example, last time I looked at pine-SSL (a while ago), it performed no certificate checking, meaning it was quite subject to a man-in-the-middle attack, and unlike most versions of SSH, would not display any warning indicating the potential for one. However, a properly written and configured SSL client should not do this. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1010107111516.27948D-100000>