Subject: Re: FreSSH
To: Charles Shannon Hendrix <shannon@widomaker.com>
From: James Chacon <jchacon@genuity.net>
List: current-users
Date: 03/09/2002 22:49:07
>
>On Sat, Mar 09, 2002 at 11:58:46PM +0100, Emiel Kollof wrote:
>> * Charles Shannon Hendrix (shannon@widomaker.com) wrote:
>> > 
>> > I don't care if my vi edits and the guts of my tar files are visible
>> > on the net.
>> 
>> Excuse me, but what about the mail you open with mutt, or your pgp 
>> passphrase then? If only the passwd is encrypted, all those other things
>> are cleartext. Sorry, not good enough.
>
>
>You are excused.
>
>Use encryption for the data in those cases you cite.
>
>But consider something like staging files to a web server.  The
>information is going to be public anyway, so why encrypt it?  If I
>transfer files from a remote machine to my machine at home and it's
>something like the sources for NetBSD, why encrypt it?  It's public
>information!

Because if someone really wants to go to the effort they can show you a
session that looks like the files are cleanly getting up there while
instead uploading/changing any other material they want.

>
>In cases like that, you only need your login information encrypted,
>the rest simply doesn't matter.
>
>On an internal network, authentication is often the only piece desired.
>It gets around the security holes in rsh-type mechanisms, and avoids
>problems like IP spoofing, etc.  But the data itself is often wide open
>anyway, so you don't need to encrypt it.

No, without encryption you can't work around IP spoofing. Just need to hijack
the connection *after* you've authenticated. 

James