tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: disable HPN in sshd for the -10 branch?



On Mon, May 23, 2022 at 05:30:36PM -0700, John Nemeth wrote:
 > } I would say that doesn't really fit with what we want either, certainly
 > } without somebody really trying.  It breaks the rule that using ssh can
 > } count on confidentiality and integrity and makes systems with ssh as  a
 > } component harder to reason about.
 > 
 >      I would say it is something that should be available as an
 > option (likely a command line option).  ssh/scp has pretty much
 > completely replaced rsh/rcp (other than for people that go out of
 > their way to use those); however, there are many things that get
 > copied around that are completely public where encrypting them for
 > data transfer is useless overhead.  That said you likely still want
 > passwords encrypted and integrity checks.

(1) having an unencrypted option at all is one of the ways spooks like
to weaken cryptosystems; it creates ways to force/cause people to use
it when they didn't mean to.

(2) if you don't encrypt everything, you're telling anyone who's
listening which data's important.

IOW, I disagree entirely.

-- 
David A. Holland
dholland%netbsd.org@localhost


Home | Main Index | Thread Index | Old Index