(sorry about the quoting, webmail isn't quite so flexible as my normal MTA)
________________________________ From: winst...@gmail.com [winst...@gmail.com] on behalf of Keith Winstein [kei...@mit.edu] Sent: Friday, 27 December 2013 6:21 a.m. > If the badguy is running as the user, they could start up a fresh SSH or Mosh > (or anything) connection and log in from anywhere -- no need to hijack an > existing connection, although they could do that too. I was more concerned about a key being stolen from the mobile device, and exfiltrated to the bad guy elsewhere. Where TCP-based connections require an attacker to spoof the original source address as well as the session credentials, mosh has only the session credentials; you don't seem to have any protection against large jumps in the sequence number as an indication of attack for example, or invalid packets for a connection coming from different sources. Looking from outside the application, from an IDS perspective, will help for some of this but won't help to understand the contents of the packets. > A sequence number is a 63-bit unsigned integer. There's no wraparound. A > legitimate SSP sender will simply end the connection after two petabytes of > data have been sent to preserve the authenticity and privacy of the AES-OCB > stream. There is no key renegotiation. 2PB is of course immense, but in the long term I think you'll benefit from a renegotiation protocol, triggered by total data, or time, or any other anomalies in the channel that may come up, a bit like sshv1 does. > Some people in the #mosh IRC channel were discussing your upcoming > presentation at linux.conf.au<http://linux.conf.au> -- it looks very > relevant! Would you be willing to share your conclusions with the list? We > are proud of Mosh's security record so far and interested to work with the > security community as people get more experience with Mosh. Ah, I've been found out, have I? :-) Not everything we've discussed here is direct source material for the presentation, but it has been really useful for me to build up an appreciation of what's happening. My general feeling is that you have done a decent job of coming up with a secure connection (for example, separating out the datagram layer), but you haven't been thinking of the sorts of multifaceted attacks that are used in the hostile world ... having said that, I'm not in the business of building PoC exploits. LCA presentations are usually livestreamed, and if I get the chance I'll make sure to pass the details on to this list. In any case the video & slides will be available soon afterwards. Given that I haven't quite finished writing it all yet, you'll have to wait :-) If you think it would be helpful, I could organise to have someone sit on your IRC channel during the presentation for the Q&A portion? Obviously this would be most useful combined with the livestreaming ... -jim
_______________________________________________ mosh-users mailing list mosh-users@mit.edu http://mailman.mit.edu/mailman/listinfo/mosh-users
