On Sun, 7 Jan 2001, **1st Vamp** wrote:

> To: Wes Peters <wessoftweyr.com>
> Date: 07/01/2001, 12:45:09
> Subject: Re: Antisniffer measures (digest of posts)
>
> Technically any SSL enabled telnet client wouldn't be that different from
> using a normal telnet client through an SSL tunnel, such as stunnel,
> although some bugs have been found in recent ports, and this is technically
> no more secure than plain old SSH.

I'm not sure I follow your argument -- if the SSL telnet properly
evaluates X.509 certificates, and has preconfigured, trusted roots, then
an SSL telnet does offer something that SSH does not have: the ability to
connect to a new host without a manual keying procedure. Given that the
weakness currently widely touted as existing in SSH is really a failure to
provide an automatic keying procedure (and users not knowing how to deal
with that), it seems to be the case that in that regard, it really *is*
more secure than plain old SSH. Now, at least some of the SSL clients out
there actually don't do this: for example, last time I looked at pine-SSL
(a while ago), it performed no certificate checking, meaning it was quite
subject to a man-in-the-middle attack, and unlike most versions of SSH,
would not display any warning indicating the potential for one. However, a
properly written and configured SSL client should not do this.

Robert N M Watson FreeBSD Core Team, TrustedBSD Project
robertfledge.watson.org NAI Labs, Safeport Network Services

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]