Re: CRIME FTP

From: John McHugh (jmchugh@private)
Date: Fri May 09 2003 - 06:07:41 PDT

  • Next message: Nate McAlmond: "RE: CRIME FTP"

    The ssh solutions (sftp, scp) etc. are reasonable ones for avoiding
    the (probably minimal) risk of a sniffed clear text password.
    
    However, there have been repeated problems with serious
    vulnerabilities in the ssh suite that could lead to root compromises.
    There have been several CERT Advisories and numerous Vulnerability Notes.
    The most recent advisory is: "CERT Advisory CA-2002-36 Multiple
    Vulnerabilities in SSH Implementations"
    
    As a result, our internal policy is to block ssh at the firewall,
    opening the port on request for a limited duration and for connections
    only from a specific address or address range.  Requests have to be
    made out of band and authenticated.  Typically, I make the request by
    internal email and confirm it in person to the systems staff before I
    go on the road.
    
    You may find that this level of paranoia is excessive for your
    organization. 
    
    John McHugh
    



    This archive was generated by hypermail 2b30 : Fri May 09 2003 - 06:27:14 PDT