On Sat, Mar 09, 2002 at 12:04:43PM -0500, Greg A. Woods wrote:
> [ On Saturday, March 9, 2002 at 11:31:41 (-0500), Charles Shannon Hendrix wrote: ]
> > Subject: Re: FreSSH
> >
> > On Fri, Mar 08, 2002 at 02:46:18AM -0500, Michael G. Schabert wrote:
> > >
> > > Hehe, turn off encryption??
> > > 
> > > "alias ssh telnet"
> > 
> > No... encryption of packets, not the password handshake to establish
> > the connection.
> 
> But that's the whole point.  You may as well put your password in the
> clear on the wire if you don't use strong crypto for the entire
> connection.  If someone can see your password as it flies by then they
> can almost certainly hijack your connection.  If they can actually get
> right in the middle of your connection then they can proxy your
> connection, doing things as you, and only showing you what you think you
> should see.  You can't have it half-way and expect it still to be
> secure because it won't be.

One problem with encrypting everything is that it becomes trivial
to perform a 'chosen plaintext' attack.  Unless you are very
careful about the algorithm used this could make life easy.

How often do you download a 100k spam mail item?
It could just be a load of chosen plaintext being used
to break your encryption.  Much better to use an
unencypted transfer.
The routine encryption on ALL messages using strong encryption
- typically believed unbreakeable - has lead to many systems
being routines broken.


	David

-- 
David Laight: david@l8s.co.uk