On Fri, Dec 12, 2003 at 11:00:31PM +0100, Florian Weimer wrote:
Thor Lancelot Simon wrote:
For what it's worth, the possibility of this general type of attack was
repeatedly discussed in the IPsec working group and is a major reason
why XAUTH was abandoned. The particular password-stealing attack that I
describe as been widely discussed among IKE implementors for at least two
years; other implementors probably independently noticed it at least as
early as I did, which was three years ago.
And we have technology deployed that solves exactly the same problem in
a reasonable way: SSH.
Yes and no. SSH is not, by itself, a network-layer encryption solution,
and there are many applications where that's really desirable. The other
issue is, of course, that SSH's model for authenticating host identities
is, itself, a mess: in this day and age, it is not acceptable to just
punt on the problem of first contact and pretend that users will reasonably
exchange key fingerprints offline. The widespread success of sniffing
and MITM attacks on the SSH protocol -- all due to users not doing what
the protocol, by omitting any means of using a hierarchy or web to validate
host keys, requires them to do -- should be proof enough of this.
Intro
