Results 1 to 7 of 7

Thread: The end of SSL & SSH?

  1. #1
    Senior Member
    Join Date
    Nov 2002

    The end of SSL & SSH?

    Hereby an article about security and SSL/SSH written by Kurt Seifried.

    The basic idea is to use dsniff to grab keys:
    Public Key Encryption
    There is one fundamental problem with establishing a secure, encrypted connection over the Internet. No matter how you do it, at some point you must initiate the connection over a public and potentially hostile network. Ideally, when two hosts establish a connection, they exchange public keys using a variety of verification processes (Diffie-Hellman being an extremely popular one), and each host properly receives the other's key. Unfortunately, since this must take place over a public and usually insecure network, it is possible for an attacker to intercept the key exchange and subvert it.
    I found a forum message pretty well written as a counter agument
    The problem is simply one of the user interface allowing a user to
    ignore a security failure. If a remote login utility using a PKI
    prompted the user with "host key is not certified, log in anyway?", it
    would be no better than SSH implementations. If A kerberized remote
    login utility prompted a user with "remote key is incorrect, log in
    anyway", it too would be no better.

    If this is truly the extent of the flaw Mr. Seifried things requires a
    full PKI to fix, I'd like to know why setting isn't a near-complete fix to the "End of SSH" Mr. Seifried predicts.
    What do u think, it is the end or not.
    Personnaly since encryption keys may come in a not encrypted way accross the net during setup, I think the architecture is dangerous.
    [shadow] SHARING KNOWLEDGE[/shadow]

  2. #2
    Senior Member
    Join Date
    Jan 2002
    You can't win however. Without a central trusted authority (like the ones for HTTPS), there is no way that a client can know whether a server is genuine. The central trusted authority model introduces a significant admin overhead and is still flawed (people have managed to obtain SSL certificates on others' behalf by social engineering).

    What SSH can do is tell you if a server changes its identity, something which should not usually happen. The user can then choose to abort the connection, thus not revealing anything to a man-in-the-middle.

  3. #3
    Senior Member
    Join Date
    Oct 2002
    The classic man in the middle attack. But it is very difficult to pull off as the attacker would have to have control of router or somthing simular.

    This is a very complex attack the chances of it happening to anyone of use is very remote. A much bigger problem is an employee with the company who you are send your credit card details to, stealing or copying your details down and then selling them to some else

    I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"

  4. #4
    Senior Member
    Join Date
    Sep 2001
    The security of SSH, PGP, etc relies in the "off-band" validation of the signatures of the exchanged keys. In SSH for example, when you first log on to a remote server, you're prompted with the key-signature of the remote server; in theory, you would validate that signature with the administrator of the server via an "off-band" mean (ie other than the internet; by phone or snail-mail for example). The same holds with PGP public keys; recent PGP even show the key signature as a series of dictionnary words that you can easily read to someone by phone to validate. Of course, most people don't bother validating the keys, hence the security risk, but that's not really the protocol's fault, more of a human error...

    Oh, and in the case of SSL (PGP does that in an un-official/decentralised way too though), validity/authenticity of keys is "transitivly verified" by a "web-of-trust". Ex: I, W, trust X who trusts Y, thus, I can trust Y.

    Credit travels up, blame travels down -- The Boss

  5. #5
    Senior Member
    Join Date
    Feb 2003
    A very interesting article, thanks Networker for directing me to this post.

    When reading about SSL a week ago I was woundering about how these private and public keys could maybe be intercepted. Was interested in useing SSL on my server just as a learning project, I think I would learn more that way, by doing. Though curently seems my server dont suport generating certificate sign requests, so Im looking for other alternitives like freessl and openssl, or a self signed certificate.

    A good read thanks for posting.

  6. #6
    Senior Member
    Join Date
    Nov 2002
    sharing is the key!
    [shadow] SHARING KNOWLEDGE[/shadow]

  7. #7
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    yeah, that's a pretty decent paper...
    just finished reading it...
    good post networker
    yeah, I\'m gonna need that by friday...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts