security

Alaric Dailey alaricdailey at hotmail.com
Tue Oct 24 11:41:45 UTC 2006 

To prevent a MITM attack when using SSH, you have to validate the key
fingerprint manually.  Doing this properly is a much larger PITA than using
a trusted introducer, such as when you use PayPal or Amazon. Most people
have no idea that you have to check fingerprints manually and out-of-band in
order to trust encryption systems without a trusted introducer, such systems
included, OTR ( http://www.cypherpunks.ca/otr ), PGP/GPG (
http://www.pgp.com and http://www.gnupg.org respectively ), SSH, and all
self-signed SSL certificates.

I still wouldn't call SSL a PITA though.  These days its cheap (
http://www.registerfly.com/ssl/ ) or free ( http://cert.startcom.org ) and
much easier than trying to teach your users how to validate a key properly.





-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Martin Atkins
Sent: Tuesday, October 24, 2006 2:05 AM
To: general at openid.net
Subject: Re: security

James A. Donald wrote:
> Scott Kveton wrote:
>  > Can folks give me an example of something that was  > completely 
> secure from day one and that got  > wide-spread adoption?
> 
> SSH was designed to be completely secure from day one, and except for 
> the usual bugs, was.
> 
> In contrast, we have *never* entirely succeeded in retroactively 
> cobbling security on top of a protocol that was not designed from the 
> beginning to be secure - in particular, secure modes for telnet, the 
> primary competitor of SSH, never really worked.
> 
> Because SSH has only one mode, and that mode secure, the user will 
> seldom see an "are you sure" dialog, and is therefore not trained to 
> click through that dialog.
> 

I would argue that part of SSH's success in relation to other SSL-based
solutions is that it is not fundamentally based on certificates, and so
there's much less overhead to bootstrapping yourself; I just apt-get install
ssh and the package generates me a server keypair automatically; I don't
have to go though the arduous process of either getting a cert or
self-signing my own, and I don't get clients bitching at me every time I log
in because my cert is self-signed. It just works.

One of the main reasons why I don't use SSL on servers more is that SSL -
whatever protocol is bundled inside it -?is generally a pain in the ass.


_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list