Re: How many programs "cheat" relative to SSH

From: Neil W Rickert <phishing@xxxxxxxxxx>
Date: Tue, 13 Mar 2007 18:35:06 GMT

wally.bass@xxxxxxxxx writes:

Now, the question I'm interested in is: how bad is it if my email
program simply skips step 3 above, and doesn't verify the signature.

What is being protected by the use of SSL?

If your mail client is authenticating to the server, and using a plain
text password to authenticate, then the protection is important to
maintain the secrecy of your password.

If this is just a matter of protecting the message content, then I
wouldn't trust SSL for that anyway. You should rely on PGP or S/MIME
to protect the body of the email message.

SSL, without checking the server key, is still better than sending
the message in clear text. It acts as a deterrent, for it is hard
to mount a MITM attack. And if enough clients do check the server
key, then the risk of discovery of the MITM attack is greater,
which further deters the attack. Just don't assume it is complete
protection.

I ask because I believe I have found at least one email program that
does that. The program "supports" SSL, and indeed, I can make
connections which are clearly SSL connections. But, as I tried to
discover the Certificate Authority database that the program would use
for step 3, I couldn't find it.Then it dawned on me that step 3 can be
skipped, and 999 of 1000 times, no one would know the difference.

Some windows clients just use the windows certificate store. Some
clients track the fingerprint of the server certificate, and warn
if that changes. Some keep their own certificate store. Some use
the openssl certificate store (on unix, linux). Perhaps some just
ignore the problem.

--
DO NOT REPLY BY EMAIL - The address above is a spamtrap.

Neil W. Rickert, Computer Science, Northern Illinois Univ., DeKalb, IL 60115
.

References:
- How many programs "cheat" relative to SSH
  - From: wally . bass

Prev by Date: How many programs "cheat" relative to SSH
Next by Date: ssh vpn solutions
Previous by thread: How many programs "cheat" relative to SSH
Next by thread: ssh vpn solutions
Index(es):
- Date
- Thread

Relevant Pages

Re: IPSec to encrypt SMB traffic?
... How does Etercap decrypt ssl protected data payload without the shared ... >> all of our clients are within our own Domain. ... >> particular Windows 2003 file server. ... Removed all entries under Key Exchange Security Method except ...
(microsoft.public.windows.server.security)
Re: IPSec to encrypt SMB traffic?
... How does Etercap decrypt ssl protected data payload without the shared ... >> all of our clients are within our own Domain. ... >> particular Windows 2003 file server. ... Removed all entries under Key Exchange Security Method except ...
(microsoft.public.windowsxp.security_admin)
Re: DSL, Proxy and Recommendations
... >> I'd like to dump the firewall machine and use the modem's firewall ... >> protection so that I don't need protection on my individual PC's? ... > have it on the clients systems too. ... I only have it installed on the ICS box, because that is the only machine ...
(comp.security.firewalls)
Re: OWA Basic not possible without SSL?
... There is no FBA in Exchange 2000, ... >> server with SSL. ... >> You could issue a Cert from a Windows 2000 RootCA, but then your clients ...
(microsoft.public.exchange.clients)
Re: AD SSL, what impact?
... you could just install a self-signed certificate. ... client's trusted roots store if it is using Windows Schannel for SSL ... You'll just have a deployment nightmare getting other clients to trust the ...
(microsoft.public.windows.server.active_directory)