Re: Sniffing SSH and HTTPS
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>>>>> "Michael" == Michael Wood <mwood@its.uct.ac.za> writes:
[...]
Michael> Ahhh, but this is quite easily guessable, since for most stuff
Michael> you type, the server echos it. For passwords, it doesn't.
Michael> i.e. just watch the SSH session, and when you see packets
Michael> going to the server that aren't being echoed you know the
Michael> person is typing a password and you can count the characters.
IIRC, this was one of the problems with SSH1 that was fixed in SSH2 (the
protocol version, not the program version). I think that SSH2 will
always send back some packet to the client -- either a dummy packet, or
a real packet. Dang, can't remember where I read that.
[...]
Michael> The problem with man in the middle attacks is that people far
Michael> too easily click on "Yes" when asked to accept a key that has
Michael> changed (or type in "yes" when asked a similar question by
Michael> SSH.)
Yup. The biggest security hole is social engineering.
- --
Hubert Chan <hackerhue@geek.com> - http://www.geocities.com/hubertchan/
PGP/GnuPG key: 1024D/651854DF71FDA37F
Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F
Key available at wwwkeys.pgp.net. Please encrypt *all* e-mail to me.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7jSYIZRhU33H9o38RAgqkAJ9QAkW31iBbfZHc4ePFawCJU7p/OgCfT8TE
0mHADg7i8JXiwWdZ9X4HFM4=
=Hdhc
-----END PGP SIGNATURE-----
Reply to: