Re: Sniffing SSH and HTTPS
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>>>>> "Richard" == Richard <ricv@denhaag.org> writes:
[...]
Richard> There also an analasis of the ssh packetstream revealing the
Richard> number of chars in the passwd.
Small clarification: this may reveal the number of characters in any
password that you type _within_ the ssh session. This does not affect
the password that you use to initially log in, as the whole password is
sent in one packet.
Of course, the attacker would need to know that you are typing in a
password at that time.
Richard> Attacks can still be done when the fingerprint is unkown
Richard> (e.g. first connect to the box)
Yes, and to answer the OP's second question (how to make ssh secure),
copy the server's public key over a known secure channel (e.g. if you're
at work, get the admin to stick it on a floppy for you), or get the
fingerprint over a known secure channel (e.g. phone the admin and ask
for the fingerprint).
Richard> or brute-force on fingerprint / rsa / dsa.
And if you manage to brute-force the fingerprint/rsa/dsa, we've got
problems.
- --
Hubert Chan <hackerhue@geek.com> - http://www.geocities.com/hubertchan/
PGP/GnuPG key: 1024D/651854DF71FDA37F
Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F
Key available at wwwkeys.pgp.net. Please encrypt *all* e-mail to me.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7jC/YZRhU33H9o38RAn3cAJ0eJvBKQTNOF0qgZMClw3m1ATXIyQCgn/tK
Kc1P/7a20XqC6x8ntygGl8M=
=unD0
-----END PGP SIGNATURE-----
Reply to: