Am Montag, 18. März 2002 14:50 schrieb Reckhard, Tobias:
[snip]
The websites are not too interesting for attackers
Umm.. see the issue of Cryptogram released today. Check http://www.counterpane.com/crypto-gram-0203.html#7, lesson number 1.
Good point, I shouldn't take that too easy too
and login is done via ssh (v2) only, so at least I get a warning if something strange happens.
Be sure to notice host key changes and don't use server-stored passwords for authentication. They'd pass through the 'router' as well and he could rather easily set up an SSH proxy.
Sure, I type in "yes" only once for a certain server...
But the mail-traffic remains a problem! As far as I can see up to now, sendmail-tls and qpopper use plain text at least for the mail-body. So the content is disclosed to any attacker if not the username/password.
Well, SMTP and POP3 are clear-text protocols by nature. You can stack them on top of SSL/TLS, but you need clients that can do that as well. With emails, encryption and authentication of the message content using PGP or S/MIME is also in widespread use.
Well, as You can see in my ethereal-output even SMTP-TLS sends the BODY of the mail in plain text! I didn't try up to now but I fear, qpopper will do the same. Only the authentification is encrypted not the data. I would have to convince all users to use PGP or GPG and I don't belive I'll succeed :-(
I sure try to avoid ftp, but webmasters on Mac are used to FTP... Maybe there's a scp-client for Macs? I'll have a look.
Another option would be to use IPSec or a functionally similar VPN technology.
I'll try to talk to the Mac-User to see what's possible there...
Cheers Tobias
Thank You for Your thoughts Roland Hilkenbach