> On Fri, Dec 12, 2003 at 11:00:31PM +0100, Florian Weimer wrote: > > Thor Lancelot Simon wrote: > > > > > For what it's worth, the possibility of this general type of attack was > > > repeatedly discussed in the IPsec working group and is a major reason > > > why XAUTH was abandoned. The particular password-stealing attack that I > > > describe as been widely discussed among IKE implementors for at least two > > > years; other implementors probably independently noticed it at least as > > > early as I did, which was three years ago. > > > > And we have technology deployed that solves exactly the same problem in > > a reasonable way: SSH. > > Yes and no. SSH is not, by itself, a network-layer encryption solution, > and there are many applications where that's really desirable. The other > issue is, of course, that SSH's model for authenticating host identities > is, itself, a mess: in this day and age, it is not acceptable to just > punt on the problem of first contact and pretend that users will reasonably > exchange key fingerprints offline. The widespread success of sniffing > and MITM attacks on the SSH protocol -- all due to users not doing what > the protocol, by omitting any means of using a hierarchy or web to validate > host keys, requires them to do -- should be proof enough of this. there are efforts; draft-ietf-secsh-dns-05.txt. itojun
