Security Portal: The End of SSL and SSH?Dec 18, 2000, 08:04 (8 Talkback[s])
(Other stories by Kurt Seifried)
"Yesterday, dsniff 2.3 was released. Why is this important, you ask? dsniff 2.3 allows you to exploit several fundamental flaws in two extremely popular encryption protocols, SSL and SSH. SSL and SSH are used to protect a large amount of network traffic, from financial transactions with online banks and stock trading sites to network administrator access to secured hosts holding extremely sensitive data. Both SSH and SSL use "public key encryption," wherein their vulnerabilities lie. They also rely heavily on the user to make the right decisions when faced with an attack, and most users are not educated enough to know what exactly they are dealing with. Users often make the wrong decision - how many times have we told users not to open up executables emailed to them?..."
"While SSL requires that the server authenticate to the user, it is usually an option for the user to authenticate to the server. And since so very few users own personal certificates, it is exceedingly rare for a user to be able to prove their identity to the server in question - leaving the connection open to attack. The same general problems exist for SSH. Instead of certificates, however, SSH simply uses a secret and public key, and since they are generally not signed, it is trivial for an attacker to sit in the middle and intercept the connection. If this is the first time you are connecting to a host and you do not have the server's public key locally, you will be none the wiser. If you do have the server's public key, you will generally receive a warning like "Warning: server's key has changed. Continue?" Most users will hit Yes."