On Wed, Dec 18, 2013 at 4:51 PM, Jim Cheetham <jim.cheet...@otago.ac.nz>wrote:
> There's another case I touched on in that speculative malware section > above; I'm assuming that if the bad guys get the session key, all they > have to do it to create a "bigger" sequence number and they are > automatically more preferred than the real client. Is that correct? Are > smaller sequence numbers logged as bogus? How big can the sequence > numbers go, what happens when the number wraps back to zero? Hello Jim, Yes, if a malefactor gets a hold of the session key it is game over from a security perspective. Mosh 1.2.1 used to log out-of-order packets and warn the user about them, but it turns out these are common on some wireless links (e.g. 802.11n), so we turned off the warning. I'm open to restoring a warning about "grossly" out-of-order packets, but I doubt it will do much good -- if a bad guy can execute with the user's privileges to steal the session key, that's a big problem. If the badguy is running as the user, they could start up a fresh SSH or Mosh (or anything) connection and log in from anywhere -- no need to hijack an existing connection, although they could do that too. A sequence number is a 63-bit unsigned integer. There's no wraparound. A legitimate SSP sender will simply end the connection after two petabytes of data have been sent to preserve the authenticity and privacy of the AES-OCB stream. There is no key renegotiation. Some people in the #mosh IRC channel were discussing your upcoming presentation at linux.conf.au -- it looks very relevant! Would you be willing to share your conclusions with the list? We are proud of Mosh's security record so far and interested to work with the security community as people get more experience with Mosh. Best regards, Keith
_______________________________________________ mosh-users mailing list mosh-users@mit.edu http://mailman.mit.edu/mailman/listinfo/mosh-users
