Slashdot Mirror
The Continuing End of SSH/SSL
Kurt Seifried, who started out this End of SSL and SSH string, with Silverman responding, has now issued his follow-up. I promise anymore of this string will just go in Slashback.
← Back to Stories (view on slashdot.org)
This guy completely loss all of his credability in the security industry and now he tries to write a better article show that he isn't a complete moron. He should have posted this second article instead of the his awful attempt on the first one. All of ideas he "wrote" about were all posted on bugtraq criticizing him for lack of knowledge. Go kurt!
I think this issue is not new. And every Admin who has installed SSH knows this drawback. However SSH/SSL is still better off than non-encrypted channel any day. It is definitely not acceptable for an E-Commerce solution. I don't think I'll ever transfer a million dollars using SSL technology. Its too much of a risk still. I don't care how many bits it supports.
I have implemented Cache engines/proxy servers. And its pretty simple to setup a trojan there which could in theory decrypt SSL... I think we will see more of these kinds of trojan attacks over SSL in the near future. There is not much one can do to avoid it. Nothing that I can think off.
Since the number of keys are exponentially rising I think some work needs to be done in refining the implementation of this technology.
1. To begin with, as the author of this article says, Force Expiration of all keys. No key should exist for ever. Its like junk yard in space after the satellites break down. The junk has to be removed eventually. Its better if we start now.
2. I think some time back there was some work done in distributing PGP keys in DNS records. This could in effect make SSH more secure. If I were to use the KISS principle I'd make SSH clients to auto-register its keys in the local DNS somehow.
3. Same with SSL. By default Browsers should reject SSL keys if its not signed by a CA. Exceptions could be made if it can be verified atleast by using a reverse lookup on DNS.. or something like that. However that doesn't mean that the proxy server cannot sniff DNS requests and forge it too... NEway... its just an idea. May be we should reject everything not signed by a CA.
OK.. that were weird ideas... I don't think anyone can be serious enough to go all the way, because I personally can't think of implementing such a complicated solution for my clients.
rkt
Sure, if anyone had tried to claim that ssh/ssl were dead a year ago, RSA would have shut them up in a second. Of course, now that the RSA algorithm is public domain, big business has every incentive to deem it useless... Concentrate on tweaking the implementations, the basis of public key cryptography is rock solid.
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
Basically, all he's said is having good security is hard, and your average user is not up to the task. Another way of saying this is that the weakest part of most security systems now is the people that use them. I think this is pretty well-known already.
SSH and SSL, when used correctly, can provide good security. They aren't idiot-proof, but then again, what security system is?
Crypt-kiddies and Script-kiddies are basically the same.
http://erichsieht.wordpress.com/category/english/
Well this guy bashes everyone and everything. Except centralized authentication.
/. staff. Maybe it is correct to have the answer to public reaction published. A good form of pluralism and democracy. Howoever beware of these FUD articles from first start. Anyway, every security system depends fundamentaly on one only protocol. One with two legs, two hands and a head with a whole need for bugfixes, patches and Service Packs. No one has ever replaced this protocol. And so, no other security protocol can be 100% secure. Any claim on stating protocol disadvantages from typical human actions, and made in such partial way as Mr. Seifried did, is nothing but FUD.
Well Mr. Seifried let me say one thing. If you compromise a SSH connection you mostly compromise the computers that are inside this connection. In most cases two computers.
If you compromise a Kerberos server then one may get the security of whole networks to be put under question. While you speak a lot about the +++ and --- of several protocols, I would remind you that Kerberos had some glitches for the last time. As far as I know, M$ and RH have issued a few patches after they started releasing Kerberos. No matter their nature, this shows that the realisation is still not perfect. So may in a moment we may get a few security holes to deal with for long.
But the main reason for not using Kerberos lays in the fact that computers are more than a service. Yes, one may try to step up a security server doing only Kerberos. But to what cost this will come? It is surely more expensive than having SSH doing its dirty job in every computer. Not everyone has money and guts to make things perfect. A backdoor in some third service, administrator access to Kerberos and let's see how good this stuff is...
Besides you forget that a Kerberos security scheme is more prone to DoS. Any well planned attack against the security server and let's see how your clients will live. But, even this may not be needed. A glitch on the network may be able to create havock. I have seen many cases when this stuff shows clearly that it is better to have an SSH backdoor everywhere rather than laying security in one only place. Any possible problem that breaks contact with the "mother of all networks" and you are on your own. Services start to run crazy, overloading machines and networks. Users cannot go in to stop this or to do external tasks.
Kerberos may be a solution to organise things. But it has as many drawbacks as the services you point out. One of them distribution and here we are in the same place as the DNSSEC/IPSEC. As far as I see even this two protocols have a more well-spread distribution than Kerberos. If we take a look, a good piece of that stuff is already laying on Linux. probably other systems supporting IPv6, and Bind 9. Why they are not used? Because of the necessity to change a few critical things and sysadmins lazyness to do it.
To
If SSL/SSH doesn't protect people's passwords from MITM attackts, what _does_ it protect them from?
Seriously, isn't encryption only protecting against MITM situations or am I missing something here? (I hope I am, otherwise this would all be one silly discussion!)
zalig kerstfeest,
CBAS
The server has to authenticate itself to the user and the user has to authenticate to the server. Taking these one at a time... First, OpenSSH2.4 will support the use of CryptoCard authentication tokens. This does a good job of authenticating the user to the server. Second, well, you have to check the public key the server sends out to make sure it doesn't change. Part of this is a UI issue with the clients. Also, the client machine needs to be secure and tamper-resistant. If it is trojaned, there is nothing you can do to prevent session hijacking. Secure OS and secure hardware are part of the requirements here. We have a fairly secure OS: OpenBSD. We need a secure web browser, and to get really security, we need tamper-resistant hardware. Remember this mafia guy that the FBI bugged his keyboard? We need hardware that can prevent those kinds of attacks. So we have a ways to go before we get to secure communication. But SSH, especially ssh+cryptocard+openbsd, is a huge step in the right direction.
Tools like dsniff seem mainly designed for use on non-switching LANs. Unless you manage to subvert the infrastructure of a major ISP, I don't see how they would help you with hacking the traffic between me and my bank using a man-in-the-middle attack. But the infrastructure problems that allow man-in-the-middle attacks are much easier to exploit for denial-of-service, so it seems likely that major ISPs already have a strong incentive to guard against them.
So, before getting all pushed out of shape about the possibilities, I would like to hear more discussion about the possibility of man-in-the-middle attacks on the Internet infrastructure itself--the part between my site and the bank's site which neither the bank nor I control; the case of attacks on shared LANs at my site or the bank just isn't all that interesting to me because I don't perceive it as a significant additional threat compared to what my users or the bank's employees can already accomplish using other, simpler means.
In the article, Kurt spends a couple of paragraphs expostulating on the lackluster way in which SSH clients present new/changed key issues. While I agree that SSH clients should be more strenuous in warning the user of new/changed keys, the failure to do so is not a fault of the protocol, simply of the writers of the software.
I use PuTTY on my Win boxes to SSH into my servers, and its messages are exactly as he says they should be... "Warning!", etc, so clearely, this is not a universal problem.
Also, AFAIK, there is no facility in the SSL/SSH protocols themselves to deal with alert messages such as this, although I don't think that the protocol itself is the place for these kinds of messages.
To put it succinctly, it's not the protocol's fault if a user blindly accepts these new keys as authentic.
Akardam Out
I can install a solid steel door in your house, with the best deadbolt locks, a top-of-the-line alarm system, and all the bells -n- whistles you can imagine. But if it's too much trouble for you to lock the damned door, none of it does any good. When someone knocks and says "Candygram", it might just be a land shark. We all saw Matthew Broderick read the password off the secretary's desk, defeating whatever security was behind that password.
Can the protocols be fine-tuned to make security holes more obvious to those who know what they mean? Sure. We'll argue about the details of when keys should expire (I say there should be some long-term keys used for nothing other than signing shorter-term keys, for instance), and other minutiae. But I've seen people pay good money to attend classes where the instructor said that "https://" means "you're secure", and left it at that.
Frankly, Joe Average User hasn't had the educational background to question authority, perception of reality, etc. If it looks official, it must be. Like so many other of the issues we discuss here (DeCSS, copy-protected HDs, crypto export restrictions, etc.) we must educate Joe (and Jane) if we ever want to make progress. When was the last time you explained to your semi-computer-literate friends "Email is like a postcard, PGP/GPG is like an envelope"? Widespread use of the Web of Trust model would help make the use of secure protocols as secure as the protocols themselves.
[100% ISO 646 Compliant]
SVM, ERGO MONSTRO.
I'm sorry, but for the main part it seems like interpreting Bruce Schneier's motto "Security is a process, not a product" to mean that therefore all products are insecure and we should panic. It's hardly news that these products don't drop into place and create perfect security. No measure is perfect; what's wonderful is that when you use these measures, it gives an attacker headaches like greater expense and difficulty and a better chance of being caught, and that's what computer security is really all about.
Now I think there's a lot to be said for articles that detail the ways someone might try and mount attacks that circumvent the protection offered by these measures, so that you know how to gain the most protection from them, but presenting it in the form of alarmism about sensible security precautions is irresponsible.
Also, there's at least one important error in this article: Unlike SRP, B-SPEKE et al, Kerberos is *not* a ZKP password protocol. The Kerberos password protocol, IIRC, is a "weak" password protocol that allows offline dictionary attacks where no extra authentication information exists at the client end. Seifreid interviewed the creator of SRP last year (sorry, can't find URL just now), but I'm not sure he "gets it" about why SRP and friends are so great.
--
Xenu loves you!
If an attacker manages to break into a server that uses SSL to secure services they can steal the certificate. [...] They can then use the certificate to setup a service that looks identical to the original, with some DNS poisoning they can direct users towards it.
This is so toy it's not funny. Let's consider the 101 reasons why no-one does this. First, if you can "break into a server" that is used for secure transactions, you have a lot of options for getting those little magic numbers. First, you can look in their database if they are stupid enough to log cc numbers (hello amazon and all you one-click wannabes) and get a few million cc numbers. You can also trojan the web server or the cc processing cgi and intercept live transactions there. But perhaps the attacker is a little afraid of getting caught so he doesn't wanna touch anything on the web server cause he might "break it". So why wouldn't he go set up a fake server? Well, he has the server certificate! He can just passively monitor the traffic and watch the handshake using the private key, get the symetric session key and watch all the traffic go by at his leisure. This is not to say that people don't set up fake servers and redirect DNS to point to them. It happens all the time, but these are people who don't have the certificate and hope that shoppers wont notice that the transaction isn't encrypted or is encrypted with a different certificate.
This "rebuttal" is filled with similar stupid statements that real experts immediately pick as scare mongering. What is your motive here Seifried?
How we know is more important than what we know.
The way I see it, you need to have root to retrieve a private key. If someone already has root on your computer, don't you have more pressing concerns than whether or not someone might execute a man-in-the-middle attack against you?
-Alec
--
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Kurt is only saying things that are true, but it's the way he's saying them. In this case, he gave CBAS the idea that SSH doesn't protect people's passwords from MITM attacks. In reality, SSH, when carefully used, is perfectly secure. For better or worse, this existing implementations don't insist that you use it carefully. For example, before accepting a host key, ssh could ask you for its fingerprint. How do you get its fingerprint? You get it from the host in some secure manner; perhaps by logging into the console.
-russ
Don't piss off The Angry Economist
I know someone who uses CP/M and I still use a printer terminal.
While some throw out 386s others surf the web on XTs.
Intel discontinues old Pentium chips annother chip maker builds faster 65816 chips (20 mzh) and others make imbeded computers using 486 clone chips.
While some throw out a larg screen TV for a new HDTV others buy old B/W 9 inchers..
While some buy new digital clocks some go out of there way for wind ups...
The point?
What the hell is obsolete?
Obsolete is someone elses idea of "not useful anymore" but nothing ever really becomes "not useful"..
SSH/SSL will die when mankind dies... piriod.. Not when it becomes unuseful in the eyes of the majority... but when isn't a single person left who might spawn a child who might find it useful for something....
So XXX is dead... yeah.... Dos is dead.. thats what Microsoft keeps saying... and they still can't get rid of it...
Nothing ever dies.. software never dies.. it just stops being populare...
I don't actually exist.
perfect forward secrecy: In cryptography, of a key-establishment protocol, the condition in which the compromise of a session key or long-term private key after a given session does not cause the compromise of any earlier session.
And that is why your message is score 0.. frankly, I think it should be -1, offtopic.
How we know is more important than what we know.
Clearly the human brain is obsolete..
When prompted the human brain will run e-mail trojens (posably viruses) even when it knows better.
When prompted it will accept incryption keys even when the prompt details that the new key is very likely invalid and DaNgErOuS.
The human brain is quite capable of designning all kinds of elabrate securing systems but any time the brain plays an active role in this process the brain attemps to use easlly hacked passwords.. leave defaults in place... say ok to prompts that say "Danger you WILL die if you accept this"...
The human brain must be replaced soon...
I don't actually exist.
I too, was not impressed with Seifreid's followup. He changed his arguments on a number of different issues, and completely avoided areas where he was shown to be wrong or misleading. In a formal debate session, he would have been docked massive points by the judge. It was clear he was trying to be sensationalistic, and after reading his original article, the rebuttal, and his followup, I'm left wondering how much he fundamentally understands the tradeoffs of how public key works and what's necessary to make a useful/usable system.
One very important point which hasn't been addressed to date is that if you're using RSA authentication (and not password authentication) the risks are much reduced. Also, even if you use an insecure means of getting the public key of a host, the MITM attack only applies the *first* time you contact the host. Once you have the public key stored in your known_key file, you'll know if the public key asserted by the host ever changes. That's actually a pretty strong assurance, in real life. If you ever once had a secure channel between host A and host B, if a script kiddie breaks into your next work the following month and installs desniff, you'll get the warning message about the host key changing.
Kurt Seifried's defense against this point was that he pointed out that one Windows client has a lame message which isn't as strong as the warning made by the Unix client. That's a valid complaint, but that's a complaint against a specific implementation, and not against the protocol. So much for his claims in his original article that the ssh protocol was irretrivably broken....
In the greater scheme of things, perhaps the biggest disappointment was that Slashdot posted a link to his original drivel... His original article wouldn't have passed my editorial standards.
Sometime the vulnerability might due to human mistake, or misconception. Most people would enable both RSA(public/private keys) authenticaion and Password Authentication when setting up a SSH server in *nix.
Enable password authentictaion is effectly breaking the security of RSA, introduce a easier method, or backdoor, to intrude.
I plan to continue to use ssh. The only threat appears to be lack of paying attention. It is not nice to expire host keys without warning users ahead of time.
On Unix, ssh is quite secure. Using it from M$ should be avoided, but admitably, it isn't allways an option. Other extreme security problems in Windoze, not ssh, appear to be the real problem. Just try to avoid doing remote system maintainance
from untrusted systems and clients.
were you expecting to see a sig here? perhaps you'd rather see the inside of an ambulance!
To call the problem the death of SSL/SSH is extreme sensationalism.
Considering the many less secure protocols in use everyday, let's just say THE INTERNET IS DEAD!!!!!!!!!! Burn your computer now before it's TOO LATE!!!!!
Notw that THAT's out of my system, Let's face it, the same people who worry about how secure their credit card is in transit will cheerfully hand it over to a waiter who will disappear with it for 5 minutes at least, hand it over to the part-time temp worker behind the register, or call it out over the phone to a person they can't even see, much less know.
The bigger problem seems to be what happens to the number AFTER it is sent. Several databases have been raided by crackers, and several companies have turned out to be fraudulant (but they WERE who they said they were and DID have valid certs).
There are a lot of ways to get credit card numbers for fraud, MITM is one of the more expensive and risky. It would be much safer to redbox a payphone and just ASK people at random (I'm with Xbank and I can save you hundreds a year, to get started, I need the Name. number and expiration from your Visa). Many will hang up, many will tell.
As for corperate security, the risks may be higher, but can be overcome with employee training. I'm guessing that employees writing down their passwords (or choosing lame passwords) is a bigger problem in that setting.
Like everything, risks exist, there is no magic bullet, and proper precautions can mitigate that risk.
Neither SRP nor Kerberos are zero knowledge protocols. A zero knowledge protocol ('proof' is actually a better term than 'protocol' here) is a very specific mathematical thing. It involves a prover proving something to a verifier in such a way that the verifier does not gain the prover's knowledge; only the fact the the prover has that knowledge.
As an example, it is possible to do a zero knowledge proof to some verifier that I know the discrete logarithm of a given number (mod some prime p) without giving away what that logarithm is. The verifier does not learn anything from this. The official definition says that the verifier himself could have simulated anything I said during the proof. This official definition (a simulation argument) is what is missing with things like SRP and Kerberos.
Ignorant security "experts" (Seifried and others) spout off stuff like "well, it doesn't look like you send out any important info, so it's zero knowledge". Zero knowledge is a not a flashy adjective to toss around to impress people; it's a mathematically precise term. It requires formalism (a simulation argument) for a protocol to earn this designation, not just some rambling and hand-waving.
Bruce Schneier's book Applied Cryptography has sort of a brief introduction to the topic. For more info, one should look into the cryptographic literature. I believe Schneier's book lists some good papers on the subject in the references.
I really just wrote an article about how security is hard, and involves a lot more than just software. User interfaces are particularly important. Anyway, I gave it a very doomsday title just to get more people to read it. I really wish I had something new to say.
-- Seifried
Thanks for the comment, and you're right to criticise my imprecise use of the term. In my defence I can only say that David Jablon, designer of B-SPEKE, employs similarly imprecise terminology, though Thomas Wu of SRP avoids it.
Work continues on password protocols about which good things can be proven: check out Stefan Lucks's Open Key Exchange for a password protocol that uses a simulator-based argument under the Random Oracle model to prove that finding a more efficient attack is dependent on breaking the underlying public key cryptosystem. AMP is another proposal in the works.
--
Xenu loves you!
see you appear to have tracked down two of my posts to reply to my sig line (why not try a recent post and put a name on it so I can actually reply to you?) I'll respond here and hope you get it. For archival purposes my sig line is currently:
The guy who invented the ice cube tray best not of applied for a patent
and Mr AC here doesn't seem to think "best not of" is valid english. Now I can only assume that our friend here is not an english speaker because "best not of" is a similar to saying "better not of" but is slightly more strong, implying that the threat implicit in "better not of" is taken to an extreme. Our AC friend however would probably debate the legitimacy of the sentence fragment "better not of" and to this I can only direct Mr AC to a linquistics book where he will discover than grammer is a descriptive disciplin, not a prescriptive one. That is to say, grammar is used to describe how people talk in a particular language, not how they should speak. If one cares to debate this opinion then one need only look at "Old English" to determine that language indeed does change and that such change is to be welcomed.
How we know is more important than what we know.