Re: On why debugging OpenSSH can be so hard
- From: Maurice Volaski <mvolaski@xxxxxxxxxxxx>
- Date: Wed, 9 Jul 2008 13:30:07 -0400
Please bear in mind that in the world of cryptography, the difference
between proper error messages and information disclosure
vulnerabilities is narrow, or only a nuance.
IMHO, you have it backwards. It is the improper error messages that can pose a security risk. If my OpenSSH program is either misconfigured or malfunctiong, and it may be exposing my systems to something nefarious, then how am I to efficiently debug it
That's why it fails at that point.
It meaning OpenSSH? So what do you mean by its failing? Because it doesn't let me debug efficiently, it fails to be a "nice" program? But that doesn't make sense given your later argument that suggests it shouldn't be a "nice" program because in this case,"nice" programs expose security risks. Unless, of course, you think the failure is OK, that the failure trumps the security risk you claim. Or you mean something else and I'm not getting it?
(I hope this response adds more to the discussion. :-))
--
Maurice Volaski, mvolaski@xxxxxxxxxxxx
Computing Support, Rose F. Kennedy Center
Albert Einstein College of Medicine of Yeshiva University
- Prev by Date: Re: Deliberately create slow SSH response?
- Next by Date: RE: Deliberately create slow SSH response?
- Previous by thread: Re: On why debugging OpenSSH can be so hard
- Next by thread: Help with "Go away, you don't exist" error message
- Index(es):
Relevant Pages
|
