5877628 2000-12-19 11:33 -0700 /19 rader/ Kurt Seifried <seifried@SECURITYPORTAL.COM> Sänt av: joel@lysator.liu.se Importerad: 2000-12-20 06:03 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: seifried@securityportal.com Mottagare: Bugtraq (import) <14361> Ärende: Re: "The End of SSL and SSH?" ------------------------------------------------------------ From: Kurt Seifried <seifried@SECURITYPORTAL.COM> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <005901c069ea$3f73eec0$ca00030a@seifried.org> It is also incredibly difficult for users to ascertain whether the key is legit or not. I've had some people suggest that all the SSH keys be PGP signed and put on floppy and given to users (that one made me laugh). Most users will happily accept SSL certs that have expired, point to the wrong site or are self signed (all of which could be a man in the middle attack or a lazy admin). I used to religously sign email's with PGP until I realized that no-one probably checked, how did I know this? I started modifying the email after signing so that it wouldn't verify, no-one ever complained. SSH and SSL are in my opinion poor implementations of security protocols, they also lack a lot of things such as repudiation/etc. To believe they are the best we can do makes me very sad. I suspect in 5 years we'll talk about ssh/ssl like we talk about telnet right now. > Perry Metzger -Kurt (5877628) --------------------------------(Ombruten) Kommentar i text 5877634 av Perry E. Metzger <perry@PIERMONT.COM> 5877634 2000-12-19 13:47 -0500 /55 rader/ Perry E. Metzger <perry@PIERMONT.COM> Sänt av: joel@lysator.liu.se Importerad: 2000-12-20 06:20 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: perry@PIERMONT.COM Mottagare: Bugtraq (import) <14363> Kommentar till text 5877628 av Kurt Seifried <seifried@SECURITYPORTAL.COM> Ärende: Re: "The End of SSL and SSH?" ------------------------------------------------------------ From: "Perry E. Metzger" <perry@PIERMONT.COM> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <87k88w2qoz.fsf@snark.piermont.com> "Kurt Seifried" <seifried@securityportal.com> writes: > It is also incredibly difficult for users to ascertain whether the > key is legit or not. Generally, if a key is already in use, it is very likely legitimate. If a key comes up as having changed, it is probably not legitimate. This does leave the question of how do you get keys in the first place. In most organizations, however, systems administration is capable of maintaining such things reasonably well. We could perhaps make that problem a bit better with mechanisms such as on-line key lookup (using a sort of public key version of what kerberos provides for private key protocols), but PKI qua PKI won't improve the situation, and in practice you can (somewhat cumbersomely) get 90% of the benefits right now simply by being systematic about key management. > Most users will happily accept SSL certs that > have expired, point to the wrong site or are self signed (all of > which could be a man in the middle attack or a lazy admin). And yet, SSL certs are based on the X.509 PKI architecture. You claim a PKI will fix things, but obviously it hasn't in this instance. > I used to religously sign email's with PGP until I realized that > no-one probably checked, how did I know this? I started modifying > the email after signing so that it wouldn't verify, no-one ever > complained. I'm hardly surprised. The tools to check are hard to use and the need is rarely obvious. > SSH and SSL are in my opinion poor implementations of security > protocols, they also lack a lot of things such as > repudiation/etc. To believe they are the best we can do makes me > very sad. I suspect in 5 years we'll talk about ssh/ssl like we talk > about telnet right now. I doubt it. SSH and SSL are fine protocols, but are dependent on key management mechanisms. What you are noting is that key management is a hard problem. Well, so it is -- but that doesn't mean that if we change the way we do key management that SSH and SSL would go away. The protocols themselves are fine. In general, PKI is probably not the answer. Among other things, the fact that it requires revocation infrastructure in the first place gives one pause. CRLs do not work in practice. Perry (5877634) --------------------------------(Ombruten)