Re: [hybi] Why not just use ssh?
Gabriel Montenegro <gmonte@microsoft.com> Wed, 01 September 2010 20:17 UTC
Return-Path: <gmonte@microsoft.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D76A53A6904 for <hybi@core3.amsl.com>; Wed, 1 Sep 2010 13:17:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bRCbfeoVew5f for <hybi@core3.amsl.com>; Wed, 1 Sep 2010 13:17:10 -0700 (PDT)
Received: from smtp.microsoft.com (mailb.microsoft.com [131.107.115.215]) by core3.amsl.com (Postfix) with ESMTP id 842BE3A6900 for <hybi@ietf.org>; Wed, 1 Sep 2010 13:17:09 -0700 (PDT)
Received: from TK5EX14HUBC102.redmond.corp.microsoft.com (157.54.7.154) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.2.176.0; Wed, 1 Sep 2010 13:17:33 -0700
Received: from TK5EX14MLTW651.wingroup.windeploy.ntdev.microsoft.com (157.54.71.39) by TK5EX14HUBC102.redmond.corp.microsoft.com (157.54.7.154) with Microsoft SMTP Server (TLS) id 14.1.218.10; Wed, 1 Sep 2010 13:17:33 -0700
Received: from TK5EX14MBXW605.wingroup.windeploy.ntdev.microsoft.com ([169.254.5.40]) by TK5EX14MLTW651.wingroup.windeploy.ntdev.microsoft.com ([157.54.71.39]) with mapi; Wed, 1 Sep 2010 13:17:32 -0700
From: Gabriel Montenegro <gmonte@microsoft.com>
To: 'Adam Barth' <ietf@adambarth.com>
Thread-Topic: [hybi] Why not just use ssh?
Thread-Index: AQHLSUzSR2eDhQU26kquYicz/SaRxpL8gHaAgAAGiAD//7V2oIAAfuqA///RyLA=
Date: Wed, 01 Sep 2010 20:17:34 +0000
Message-ID: <CA566BAEAD6B3F4E8B5C5C4F61710C110FAFBEF4@TK5EX14MBXW605.wingroup.windeploy.ntdev.microsoft.com>
References: <d48398080b610405d982ffd924f58e27.squirrel@sm.webmail.pair.com> <AANLkTin8CiHFoOSFdcRPern5YY-FdODC4GST+BrP3t_j@mail.gmail.com> <AANLkTi=fn2JE7a0b_0KFFLwq3eG_-xnaRazXAMPGi0N3@mail.gmail.com> <CA566BAEAD6B3F4E8B5C5C4F61710C110FAFBCBD@TK5EX14MBXW605.wingroup.windeploy.ntdev.microsoft.com> <AANLkTinE1MB10nUhpnU-SC+aLjPmFyu3NhjLC1-wMmW7@mail.gmail.com>
In-Reply-To: <AANLkTinE1MB10nUhpnU-SC+aLjPmFyu3NhjLC1-wMmW7@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "hybi@ietf.org" <hybi@ietf.org>
Subject: Re: [hybi] Why not just use ssh?
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Sep 2010 20:17:13 -0000
> > I might have missed that part of the discussion, but, if the server is replying to > an Upgrade (perhaps over HTTPS) with a 101, and with a random nonce sent by > the client, how is this vulnerable to a cross-protocol attack? > > Cross-protocol attacks are quite subtle and generally take years to uncover. > Your statement is roughly equivalent to "protocol XYZ uses encryption, it might > be secure against man-in-the-middle attacks, right?" Not sure how you made that jump. Along the lines of the above, your statement then could be claimed to be "roughly equivalent" to: "protocol XYZ uses TLS-NPN, obviously it will be impervious to as yet unknown and undiscovered attacks" Neither statement makes much sense, but luckily nobody's said either of the above. We design protocols based on plausible threat models. If we don't know all the attacks, then increased complexity is not necessarily the answer. Often times it has the opposite effect.
- Re: [hybi] Why not just use ssh? Shelby Moore
- Re: [hybi] Why not just use ssh? Shelby Moore
- Re: [hybi] Why not just use ssh? Eric Rescorla
- Re: [hybi] Why not just use ssh? Adam Barth
- Re: [hybi] Why not just use ssh? Gabriel Montenegro
- Re: [hybi] Why not just use ssh? Adam Barth
- Re: [hybi] Why not just use ssh? Eric Rescorla
- Re: [hybi] Why not just use ssh? John Tamplin
- Re: [hybi] Why not just use ssh? Willy Tarreau
- Re: [hybi] Why not just use ssh? Adam Barth
- Re: [hybi] Why not just use ssh? Eric Rescorla
- Re: [hybi] Why not just use ssh? John Tamplin
- Re: [hybi] Why not just use ssh? Eric Rescorla
- Re: [hybi] Why not just use ssh? Gabriel Montenegro
- Re: [hybi] Why not just use ssh? Adam Barth
- Re: [hybi] Why not just use ssh? Willy Tarreau
- Re: [hybi] Why not just use ssh? Adam Barth
- Re: [hybi] Why not just use ssh? Eric Rescorla
- Re: [hybi] Why not just use ssh? Willy Tarreau
- Re: [hybi] Why not just use ssh? Willy Tarreau
- Re: [hybi] Why not just use ssh? Gabriel Montenegro
- Re: [hybi] Why not just use ssh? Shelby Moore