Re: sftp module cant connect to new hosts



On Mon, 15 Mar 2004, Seth Nickell wrote:

> From: Seth Nickell <seth gnome org>
> Subject: Re: sftp module cant connect to new hosts
>
> On Mon, 2004-03-15 at 02:25, Mattias Eriksson wrote:
> > I totally agree with you that people don't verity the host-key, I have
> > in fact written a paper related to this problem. But if we are using
> > ssh, we must stick to its security model.
>
> ssh is just a tool for us. We wanted a way to allow people to transfer

This is a VERY bad and regrettable attitude...

> things between any two Linux computers. ssh provided a way. We are not
> obligated to "buy into" ssh philosophy to use the tool. Think of the
> sftp modules as being "a way to transfer files between two linux
> computers", not "an ssh implementation" ;-)
>
> > Even if we only protect the 1%
> > that perform the check, the majority of users will at least have made
> > things insecure by choice.
>
> Choice? That they don't understand ssh keys is not exactly a choice.
> This is just the same old buck passing.
>
> > The solution to the problem you point out is not to "accept anything
> > since this is what most users will do anyway", but using some other
> > method with another security model. The security models we have is to
> > complex and are built on the assumption that the user have some hidden
> > desire to know about the technology behind the scene. Unfortunately I
> > haven't found any secure and simple solution to this problem. So for now
> > I suggest we stick to the security mechanisms we have, but keep on
> > looking for better ones.
>
> The mechanism we have isn't a solution in actual use. Its only a
> solution on paper.
>
> 1) It has a usability cost to the majority (another irritating,
> technobabble dialogue)
> 2) It has a usability gain, in exotic unusual circumstances, to a very
> small minority (the paraonoid people who actual use nautilus find out
> when the key changes)

It may very well be a usability-cost, but you can't just blindly accept
the new key. This a major security risk.

I should also point out that all the members of the mozilla family do
(and have done) this: mozilla, mozilla-firebird and mozilla-firefox all
had warnings when you submitted form data over an insecure links, or
when you went from a safe (https) to an unsafe (http) site (or vice
versa)

I really don't think you can throw security overboard because it is a
minor inconvenience to the users. And then I'm not even a security zealot,
just someone with a little common sense

> We're stuck between a rock and a hard place, I agree, but the
> utilitarian tradeoff is to go with what benefits the majority most.
> Security doesn't *always* trump, esp. when its false security (since the
> mechanism doesn't work for the vast majority of people).
>
> The most secure computer is turned off and locked in a vault ;-)

True, but then why not just stop coding the gnome desktop at all...?

> -Seth

kr,

Chipzz AKA
Jan Van Buggenhout
-- 

------------------------------------------------------------------------
                 UNIX isn't dead - It just smells funny
                           Chipzz ULYSSIS Org
------------------------------------------------------------------------




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]