On 2012-05-09, Alvaro Mantilla Gimenez <alv...@alvaromantilla.com> wrote: > According these guys connect trough SSH to a remote server is not secure... > > http://www.wziss.com/
And if you're connecting to a compromised web server, HTTPS doesn't automatically make that secure either. This is not the threat that this particular protocol guards against. > Look in "Case Studies".... Here's another: if you use agent forwarding, even if you use "ssh-add -c" when you add your identities to require that they're confirmed to prevent the most common attack scenario with agent forwarding, the admin could have replaced the ssh binary with one which makes the connection and runs his own commands over it, or allows access to a second session via multiplexing. And another: if you do the above *and* build your own ssh binary to make sure that's legitimate, the admin could have replaced the compiler, or make, or install, or something else, with one which builds/installs a trojanned program.
