[ On Sunday, March 10, 2002 at 13:28:20 (-0500), Charles Shannon Hendrix wrote: ]
> Subject: Re: FreSSH
>
> Yes, but since you wouldn't default to non-encrypted connections, it's
> unlikely they would be using it anyway.  
> 
> There are a number of ways to screw yourself using ssh and thinking you
> are secure, so I don't see this as a big problem.

If you're a security administrator and you are "forcing" your users to
use SSH in order to protect them from their own ignorance of security
issues, then do you really want to give them the ability to decide for
themselves what data is public and what data is private?

I for one might want all my users to always use encryption all of the
time.  While I might trust their judgement of what's public and what's
private, I'm not prepared to trust them to always use the appropriate
level of privacy protection, especially when I know they may not be
really all that familiar with the detailed operations of a tool as
complex as SSH.  This kind of security is sort of like safe sex.

> The sourceforge crack done a few months ago was done despite the
> encryption, so it's no garantee anyway.

Well, not exactly "despite the encryption" but rather more like
"despite, and perhaps even because of the requirement to use SSH", but I
see your point.

>  If you really want to be secure,
> you never hop, you always start from a secured location.

Indeed.  I wonder how many people have (continued to) use an SSH client
from a client host that had recently been infected with a virus or
infested with a worm?  Obviously some have.

-- 
								Greg A. Woods

+1 416 218-0098;  <gwoods@acm.org>;  <g.a.woods@ieee.org>;  <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>