Re: sftp module cant connect to new hosts
- From: Seth Nickell <seth gnome org>
- To: Mattias Eriksson <snaggen acc umu se>
- Cc: Alexander Larsson <alexl redhat com>, gnome-vfs-list gnome org
- Subject: Re: sftp module cant connect to new hosts
- Date: Mon, 15 Mar 2004 17:03:29 -0500
On Mon, 2004-03-15 at 02:25, Mattias Eriksson wrote:
> I totally agree with you that people don't verity the host-key, I have
> in fact written a paper related to this problem. But if we are using
> ssh, we must stick to its security model.
ssh is just a tool for us. We wanted a way to allow people to transfer
things between any two Linux computers. ssh provided a way. We are not
obligated to "buy into" ssh philosophy to use the tool. Think of the
sftp modules as being "a way to transfer files between two linux
computers", not "an ssh implementation" ;-)
> Even if we only protect the 1%
> that perform the check, the majority of users will at least have made
> things insecure by choice.
Choice? That they don't understand ssh keys is not exactly a choice.
This is just the same old buck passing.
> The solution to the problem you point out is not to "accept anything
> since this is what most users will do anyway", but using some other
> method with another security model. The security models we have is to
> complex and are built on the assumption that the user have some hidden
> desire to know about the technology behind the scene. Unfortunately I
> haven't found any secure and simple solution to this problem. So for now
> I suggest we stick to the security mechanisms we have, but keep on
> looking for better ones.
The mechanism we have isn't a solution in actual use. Its only a
solution on paper.
1) It has a usability cost to the majority (another irritating,
2) It has a usability gain, in exotic unusual circumstances, to a very
small minority (the paraonoid people who actual use nautilus find out
when the key changes)
We're stuck between a rock and a hard place, I agree, but the
utilitarian tradeoff is to go with what benefits the majority most.
Security doesn't *always* trump, esp. when its false security (since the
mechanism doesn't work for the vast majority of people).
The most secure computer is turned off and locked in a vault ;-)
] [Thread Prev