* Geoff Galitz [13. May 2009]: > Has any thought been given to (or code developed for) using either: > - rsync over ssh for feed services? > - svn export functions over ssh for feed services? > - other encryption technologies for feed services? > > My main concern is that if unencrypted services such as plain old > HTTP/FTP/rsync are used for feeds, then sniffers placed in strategic points > in the Internet or even compromised boxes in a local DMZ would be able to > identify an OpenVAS deployment.
An interesting idea, and a good time to suggest it. As you may have noticed, I just put Change Request #32 online, which will very likely result in changes to the synchronization script to offer additional synchronization methods. We could implement encrypted synchronization if it is wanted and needed. > In principle it seems this kind of information should be kept secure > (knowledge of deployed services within a network). Also, as a practical > matter, for the unfortunate day when a security vulnerability hits an > OpenVAS component (or third party component) we don't want the bad guys to > know. True. But on the other hand, if I had placed sniffers in strategic points, I would simply look for connections to the few well known feed services. Any file transfer, encrypted or not, from something like rsync.openvas.org would probably be enough to raise my interest. I think your idea is worthwhile, I just don't see a real benefit in the situation you describe. Or am I missing something? Regards, Michael -- Michael Wiegand | OpenPGP: D7D049EC | Intevation GmbH - www.intevation.de Neuer Graben 17, 49074 Osnabrück, Germany | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
pgpefkSE0X2vK.pgp
Description: PGP signature
_______________________________________________ Openvas-devel mailing list Openvas-devel@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-devel
