Re: Securing ssh tunnels.

• Previous message: Atro Tossavainen: "Re: Sftp Logging Patch"
• In reply to: Roy S. Rapoport: "Re: Securing ssh tunnels."
• Next in thread: Greg A. Woods: "Re: Securing ssh tunnels."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 27 Jun 2003 09:51:07 -0600
To: secureshell@securityfocus.com

Roy S. Rapoport(rsr@inorganic.org)@Thu, Jun 26, 2003 at 06:17:01PM -0700:
> When dealing with a cleartext protocol (HTTP, telnet), your filters/proxies
> can exercise perfect control over what's going out, because they can
> inspect the payload. Your outbound connection has "ORCL" and "MSFT" in the
> payload? Well, maybe it'll have a little accident on the way ...
>
> But with SSH/HTTPS, you're screwed -- there's no way to figure out what
> the user is sending out. It is, from your point of view, less secure, much
> like the government feels it's less secure for everybody to have cyphers
> the NSA can't crack.

That's where sshmitm and webmitm come in. You tell all of your users
that, yeah, SSH/SSL is a great idea. But you have an obligation to see
all outgoing traffic. They still get their stuff encrypted from point to
point (with a small crack inbetween), you get to make sure they're not
doing anything stupid. Same as you do with web traffic (transparent
proxy) and telnet.

-- 
Bill Weiss
 
The right of the people to be secure in their persons, houses, papers, and
effects, against unreasonable searches and seizures, shall not be
violated, and no Warrants shall issue, but upon probable cause, supported
by oath or affirmation, and particularly describing the place to be
searched, and the persons or things to be seized.
	--	The fourth amendment

• Previous message: Atro Tossavainen: "Re: Sftp Logging Patch"
• In reply to: Roy S. Rapoport: "Re: Securing ssh tunnels."
• Next in thread: Greg A. Woods: "Re: Securing ssh tunnels."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]