Subject: Re: Any point to cvs using rsh? (was Re: Anoncvs pointer)
To: Gary Thorpe <gathorpe79@yahoo.com>
From: Greg A. Woods <woods@weird.com>
List: current-users
Date: 12/13/2002 21:40:22
[ On Friday, December 13, 2002 at 15:16:05 (-0500), Gary Thorpe wrote: ]
> Subject: Re: Any point to cvs using rsh? (was Re: Anoncvs pointer)
>
> Thats kind of what I was asking...since things like anonymous ftp and
> anonymous cvs may not necessarily require data encryption but NEED
> protection against host spoofing/session hijacking (almost all TCP
> services?), would something like IPSEC be appropriate? Would it require
> less resources to implement, or is it the same effect as SSH just moved
> lower down the protocol stack? Is there a way to ensure the computer
> you are talking to is actually the one you want to talk to without
> encrypting the data stream itself?

There are potentially some advantages to moving some things into the
kernel, but there can just as easily be disadvantages too.

The really Really big problem with any of these things is key
distribution and revocation and the trust of shared public keys.  I hate
to say it, but in some senses the prevalence of SSL in browsers and the
wide-spread availability of more or less reputable certificate signers
probably makes SSL the best secure data transport security protocol, and
in this particular case probably HTTPS is the best actual transport
protocol to use.  HTTPS is also likely the only protocol a site like
NetBSD.org could get away with restricting people to using, though SSH
may still be a viable alternative (if a bit more wonky to set up) if
there were a decent web of trust built up around a signed SSH public
key which it would use.

In the mean time in the practical world each person downloading sources
or whatever has to assess his or her own risks and take appropriate
mitigating actions.  The likelyhood that an attacker will randomly
hijack someone's FTP, or CVSpserver, or rsync, etc. connection is quite
low -- the inverse risks to the attacker are too high, and the relative
payoff to the attacker are too low.  However a selective attack against
a specific user might be much more likely.  To that end using plain old
unauthenticated TCP connections to download NetBSD sources is easily
secure enough for the majority of people, and for those who it is not
(eg. maybe mirror sites), well they have a lot more to worry about than
just their NetBSD.org connections and the integrity of the data they
retrieve over those connections.

-- 
								Greg A. Woods

+1 416 218-0098;            <g.a.woods@ieee.org>;           <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>