There are a lot of people of there than think their SSL - enabled website is
not vulnerable to the common exploits found. They think - we have security
on our site - it's safe. This is a very twisted view. The same is true for
SSH. The default SSH installation of SSH (using a username and password to
authenticate) only provides you with an encrypted control session. Anyone
out there can still brute force it - a weak password (see telnet) is just as
a problem with SSH as with telnet. The advantage of using SSH is that your
control session is encrypted - this means that it would be very difficult
for someone to see what you are doing. The other nice thing about using SSH
and not telnet is that a SSH session cannot be hijacked. There are some
theories of a SSH insertion attack, but I have not seen this work in the
real world.
SSH can also be used for tunneling other data over the SSH channel. This is
very sweet and there's many interesting tricks - running PPP over SSH,
running Z-modem transfers over SSH etc. But we are here for breaking not
building eh?
not vulnerable to the common exploits found. They think - we have security
on our site - it's safe. This is a very twisted view. The same is true for
SSH. The default SSH installation of SSH (using a username and password to
authenticate) only provides you with an encrypted control session. Anyone
out there can still brute force it - a weak password (see telnet) is just as
a problem with SSH as with telnet. The advantage of using SSH is that your
control session is encrypted - this means that it would be very difficult
for someone to see what you are doing. The other nice thing about using SSH
and not telnet is that a SSH session cannot be hijacked. There are some
theories of a SSH insertion attack, but I have not seen this work in the
real world.
SSH can also be used for tunneling other data over the SSH channel. This is
very sweet and there's many interesting tricks - running PPP over SSH,
running Z-modem transfers over SSH etc. But we are here for breaking not
building eh?
No comments:
Post a Comment