-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>>> "Michael" == Michael Wood <[EMAIL PROTECTED]> writes:
[...] Michael> Ahhh, but this is quite easily guessable, since for most stuff Michael> you type, the server echos it. For passwords, it doesn't. Michael> i.e. just watch the SSH session, and when you see packets Michael> going to the server that aren't being echoed you know the Michael> person is typing a password and you can count the characters. IIRC, this was one of the problems with SSH1 that was fixed in SSH2 (the protocol version, not the program version). I think that SSH2 will always send back some packet to the client -- either a dummy packet, or a real packet. Dang, can't remember where I read that. [...] Michael> The problem with man in the middle attacks is that people far Michael> too easily click on "Yes" when asked to accept a key that has Michael> changed (or type in "yes" when asked a similar question by Michael> SSH.) Yup. The biggest security hole is social engineering. - -- Hubert Chan <[EMAIL PROTECTED]> - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/651854DF71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Please encrypt *all* e-mail to me. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7jSYIZRhU33H9o38RAgqkAJ9QAkW31iBbfZHc4ePFawCJU7p/OgCfT8TE 0mHADg7i8JXiwWdZ9X4HFM4= =Hdhc -----END PGP SIGNATURE-----