Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.os.linux.development.apps > #262

Re: Security problem

From Carlos Moreno <moreno_news@mailinator.com>
Newsgroups comp.os.linux.development.apps
Subject Re: Security problem
Date 2011-09-02 13:58 -0400
Organization University of Waterloo
Message-ID <j3r5gv$18s$1@rumours.uwaterloo.ca> (permalink)
References <j3jrp5$534$1@speranza.aioe.org> <j3o9eb$jk9$1@rumours.uwaterloo.ca> <87obz4s142.fsf@araminta.anjou.terraraq.org.uk> <j3qdbm$ucn$1@reversiblemaps.ath.cx> <87aaanjeio.fsf@araminta.anjou.terraraq.org.uk>

Show all headers | View raw

>> is similar happens again your PK based auth could be vulnerable too.
>
> And there are other systems where password-based authentication has had
> serious bugs, and that could also happen in the future.  Dismissing just
> one form of authentication because of past buggy implementations is
> absurd.

Well, yes and no  (the "is absurd" part).

Notice that in my other message I was acknowledging that my
fear of PK auth is somewhat irrational, going exactly with
this idea that you state in here.

But the thing is, the bug was so simple and it looks like
"so easy to happen" that it sort of makes you afraid of the
method.   I guess one of the aspects that fuels the fear is
the utter lack of control that one has --- as soon as you
*enable* PK authentication, your system is as good as an
open, universally available system with no authentication
required.

For other things, the typical bugs that one can imagine
typically have an "if" associated --- you know, if you
set up accounts this way or that way, then you're vulnerable;
if you fail to do this or that, then you're vulnerable;  if
you had this or that settings in place, then the bug does
not affect you....  etc.

I know, this is by no means an absolute rule, and so many
different bugs in so many different flavours could show up
in the future --- but in terms of "gut feeling", in terms
of the "peace of mind" aspect of security/setup/bugs, that
Debian OpenSSL bug was quite terrifying ....

Cheers,

Carlos
--

Back to comp.os.linux.development.apps | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Security problem jacob navia <jacob@spamsink.net> - 2011-08-31 01:29 +0200
  Re: Security problem GangGreene <GangGreene@invalid.com> - 2011-08-30 19:47 -0400
    Re: Security problem jacob navia <jacob@spamsink.net> - 2011-08-31 02:20 +0200
    Re: Security problem David Brown <david@westcontrol.removethisbit.com> - 2011-09-02 16:19 +0200
      Re: Security problem Noob <root@127.0.0.1> - 2011-12-01 11:24 +0100
        Re: Security problem David Brown <david@westcontrol.removethisbit.com> - 2011-12-01 13:11 +0100
          Re: Security problem Rainer Weikusat <rweikusat@mssgmbh.com> - 2011-12-01 13:34 +0000
            Re: Security problem David Brown <david@westcontrol.removethisbit.com> - 2011-12-01 16:19 +0100
              Re: Security problem Rainer Weikusat <rweikusat@mssgmbh.com> - 2011-12-01 17:10 +0000
                Re: Security problem David Brown <david.brown@removethis.hesbynett.no> - 2011-12-01 23:17 +0100
                Re: Security problem Rainer Weikusat <rweikusat@mssgmbh.com> - 2011-12-01 22:34 +0000
                Re: Security problem David Brown <david@westcontrol.removethisbit.com> - 2011-12-02 10:25 +0100
                Re: Security problem Richard Kettlewell <rjk@greenend.org.uk> - 2011-12-02 10:37 +0000
                Re: Security problem Rainer Weikusat <rweikusat@mssgmbh.com> - 2011-12-02 14:44 +0000
                Re: Security problem David Brown <david@westcontrol.removethisbit.com> - 2011-12-02 17:11 +0100
                Re: Security problem André Gillibert <MetaEntropy.removeThis@gmail.com> - 2011-12-03 11:45 +0100
                Re: Security problem Noob <root@127.0.0.1> - 2011-12-05 13:26 +0100
  Re: Security problem Carlos Moreno <moreno_news@mailinator.com> - 2011-09-01 11:47 -0400
    Re: Security problem Richard Kettlewell <rjk@greenend.org.uk> - 2011-09-01 17:01 +0100
      Re: Security problem Carlos Moreno <moreno_news@mailinator.com> - 2011-09-01 15:48 -0400
        Re: Security problem Richard Kettlewell <rjk@greenend.org.uk> - 2011-09-01 22:44 +0100
          Re: Security problem Richard Kettlewell <rjk@greenend.org.uk> - 2011-09-02 14:27 +0100
      Re: Security problem Jasen Betts <jasen@xnet.co.nz> - 2011-09-02 11:06 +0000
        Re: Security problem Richard Kettlewell <rjk@greenend.org.uk> - 2011-09-02 13:49 +0100
          Re: Security problem Carlos Moreno <moreno_news@mailinator.com> - 2011-09-02 13:58 -0400
            Re: Security problem Richard Kettlewell <rjk@greenend.org.uk> - 2011-09-02 19:31 +0100
  Re: Security problem "Ersek, Laszlo" <lacos@caesar.elte.hu> - 2011-09-01 21:01 +0200

csiph-web