IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: New draft-draft of sftp...
> Jeffrey Altman <jaltman%columbia.edu@localhost> wrote:
>
> > I am going to have to think about this concern for a bit. However, my
> > initial reaction is that if the host has been hacked so that daemon
> > services are replaced then I think you are in bigger trouble. At that
> > point you can't count on the contents of any of the files you may
> > receive from that server. Depending on what they are you will be hosed.
>
> That's a fair point in many circumstances, of course; yes.
>
> Not every circumstance, though; suppose I was intending to download
> a bunch of archive files and then check their GPG signatures? In
> that situation I'm already protected against a malicious server
> changing the content of the files, so being unprotected against the
> same malicious server doing other damage to me is a step downward.
>
> Cheers,
> Simon
> --
> Simon Tatham "A cynic is a person who smells flowers and
> <anakin%pobox.com@localhost> immediately looks around for a coffin."
>
That is assuming you have an out of band means of determining what the
files names should be. If you don't have that then you are forced to
rely on the trust of the server to provide you the correct file
listings.
Jeffrey Altman * Volunteer Developer Kermit 95 2.1 GUI available now!!!
The Kermit Project @ Columbia University SSH, Secure Telnet, Secure FTP, HTTP
http://www.kermit-project.org/ Secured with MIT Kerberos, SRP, and
kermit-support%columbia.edu@localhost OpenSSL.
Home |
Main Index |
Thread Index |
Old Index