On Wed, Aug 29, 2001 at 01:40:20PM +0100, Eric E Moore wrote: > >>>>> "Michael" == Michael Wood <mwood@its.uct.ac.za> writes: > > Michael> Ahhh, but this is quite easily guessable, since for most > Michael> stuff you type, the server echos it. For passwords, it > Michael> doesn't. i.e. just watch the SSH session, and when you see > Michael> packets going to the server that aren't being echoed you know > Michael> the person is typing a password and you can count the > Michael> characters. > > Frightening that echoing *'s for the password could actually have > security *advantages*. OpenSSH 2.something (2.5.2 i think) added a mechenism where it sends random noop packets back and forth, so it becomes difficult to impossible to determine when a password is being typed, it also throws a monkey wrench in this whole `sniffing encrypted sessions' nonsense. Solar Designer's analysis talked about this iirc. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpNjc11KKQma.pgp
Description: PGP signature