On Jul 7, 2008, at 2:18 PM, Maurice Volaski wrote:
Salut, Maurice Volaski,
On Mon, 7 Jul 2008 11:53:17 -0400, Maurice Volaski wrote:
Again, I think you're confusing security with a lazy programming
practice. We're talking open source here. The perfect oracle is
already there, just not in plain English.
I'm not talking about exposing information about the source code,
which
is good, but disclosing information about the key material, which is
not nearly as desirable. Please keep that in mind when you re-read my
prior mails as you don't seem to have understood it.
Who said the key needs to be exposed to the client's debug log or
even the server's? Are you trying to say that fixing this real
example of lazy programming, https://bugzilla.mindrot.org/show_bug.cgi?id=1388
, is somehow going to expose the key?
No. He's saying that it leaks information that doesn't need to be
leaked.
For comparison, long long ago, there used to be different error
messages when authentication failed. It would helpfully tell you that
your password was wrong, or that you'd supplied the wrong username.
Great for debugging, right? Well yeah ... and it was great for
enumerating the users on the box, making further attacks much simpler.
The bottom line is, don't expose data, even if it's something as
innocuous as "the key file doesn't exist," unless you have to.
Maybe you don't think it's a big deal, and maybe today it's not. How
would you feel if tomorrow a vulnerability was discovered that
affected openssh servers when the user's key wasn't found? You still
want to tell the world which of your users have misplaced key files?
Please. Accept that this is a point that's been debated to death many
times and people who really understand security much better than
either you or I have weighed all the pros and cons.
-b
