[18207] in bugtraq
Re: "The End of SSL and SSH?"
daemon@ATHENA.MIT.EDU (Kurt Seifried)
Tue Dec 19 23:54:26 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <005901c069ea$3f73eec0$ca00030a@seifried.org>
Date: Tue, 19 Dec 2000 11:33:56 -0700
Reply-To: Kurt Seifried <seifried@securityportal.com>
From: Kurt Seifried <seifried@SECURITYPORTAL.COM>
X-To: "Perry E. Metzger" <perry@piermont.com>
To: BUGTRAQ@SECURITYFOCUS.COM
It is also incredibly difficult for users to ascertain whether the key is legit or not. I've had some people suggest that all the
SSH keys be PGP signed and put on floppy and given to users (that one made me laugh). Most users will happily accept SSL certs that
have expired, point to the wrong site or are self signed (all of which could be a man in the middle attack or a lazy admin). I used
to religously sign email's with PGP until I realized that no-one probably checked, how did I know this? I started modifying the
email after signing so that it wouldn't verify, no-one ever complained.
SSH and SSL are in my opinion poor implementations of security protocols, they also lack a lot of things such as repudiation/etc. To
believe they are the best we can do makes me very sad. I suspect in 5 years we'll talk about ssh/ssl like we talk about telnet right
now.
> Perry Metzger
-Kurt
