Path: utzoo!attcan!uunet!ncrlnk!ncr-sd!hp-sdd!hplabs!ucbvax!VAX.FTP.COM!stev From: stev@VAX.FTP.COM Newsgroups: comp.protocols.tcp-ip Subject: An Obvious Security Problem? Message-ID: <8811162311.AA09389@vax.ftp.com> Date: 16 Nov 88 23:11:05 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 43 *A <------------------> M <------------------> Z * *(Node M is actually one or more gateways.) Couldn't a bad guy on M *monitor the TCP/IP traffic looking for Telnet connections and then *follow through the exchange of login names and passwords, thereby *capturing a node/login and password pair? (I realize that the *path from A to Z is dynamic and that this might not always be *possible.) * *Jon Forrest *Lawrence Berkeley Lab *FORREST@LBL.GOV yep. even on a single ethernet someone could use a lan monitor to catch your passwords as they fly over the net. i believe the Athena people use Kerberos (sorry about butchering the spelling) to deal with some of this. (or at least they could . . . . .) network security is a very big fish to try and fry. basically, the whole system would have to be re-done. i would think that we would want to use diffrent "well known ports" for the new secure versions. and forget IP security. if the packet is on my wire, i can see it. IP security is only good if all the machines respect it. ( a friend told me the only real-world use he saw for IP security was internet wide poker games). perhaps a kerberos type of scrambling on a host basis rather than a connection basis (the host has a public key assigned to it). if you try this, you can skip messing with the programs, and put the unscrambler between the network code and the application. ( i suppose you could even make it an IP option. then you could even protect the tcp layer from prying eyes.) this *will* add to the overhead, though. i havent really thought about this alot, and am not sure if it is the "right thing to do" yet or not. ah, well, too late now, i suppose . . . (the "purists" will probably not like this.) (*sigh*) stev knowles ftp software stev@ftp.com 617-868-4878