Re: Remote login

["Adam Thompson" <..hidden..>]

> I disagree.
>
> If you are using passwords with SSH, IPsec (PSK), or OpenVPN, then it
> is equivalent to HTTPS using passwords.  Sure there are some minor
> differences in terms of resistance to SYN attacks, and stuff like
> that, but I think that is minor.
>
> What I'm implying is that if you are not using client-side
> certificates/RSA-keys for your SSH, IPsec or OpenVPN security (on top
> of your port-80 ledgersmb), then it's not really very secure at all.
> You might as well stick with HTTPS using passwords.

I don't agree with your premise: it assumes all attackers are equal and 
all threat scenarios are equal, and ignores the near-impossibility of 
getting users to behave in a consistently secure fashion.

Attempting to attack a service delivered over HTTPS is trivial for most 
people - at the application (or possibly web server) level, anyway.
Triviality means there is an army of minimally skilled, bored people 
("script kiddies", colloquially) with nothing better to do than attempt to 
run automated vulnerability scans on the entire internet.

Using IPSec or OpenVPN, regardless of implementation details, immediately 
restricts the pool of potential attackers to persons of at least medium 
skill level - and more importantly, of at least medium *interest* in 
attacking you.  I have the skill to attempt some of the more trivial 
attacks on a service secured by IPSec or OpenVPN, but I have no interest 
in doing so.  (I could probably learn how to do more sophisticated 
attacks, but again, no interest.)

While I am emphatically not a security "expert", I've been part of enough 
security teams for enterprises and ISPs to have seen and dealt with the 
raw numbers: this doesn't follow the 80% rule, the distribution is more 
like 99% unskilled/1% skilled.

Of the 1% of attackers that are *somewhat* skilled (including myself), 
perhaps 1% of those are interested enough to have developed any 
significant knowledge of how to attack SSH tunnels (OK, that one's 
probably a bit more popular), IPSec or OpenVPN.  Of those, some probably 
unknowable, but equally probably very small, percentage are good enough to 
succeed in the general case.

Even if I'm off by an order of magnitude, that's still ?% of 10% of 10% of 
all attackers, or somewhere under 1% of all attacks.

As you point out, using OpenVPN or SSH secured only by password is 
essentially "security by obscurity".

Security by obscurity isn't a theoretically valid approach, and doesn't 
help you one bit in practice against someone who actually wants to see 
your data, but it does eliminate a surprisingly large percentage of 
"drive-by" hackings.  Just running a web server on something other than 
port 80 immediately cuts your exposure by about 75%!  Yes, that only 
eliminates the 75% most incompetent or most disinterested attackers, but 
that does not mean the remaining 25% become any more dangerous - they're 
still exactly as dangerous as before.


The flip side of this is that I have been involved in several (including 
doing the design of one) certificate-based AAA systems, mostly X.509 
PKI-based.  The traditional *enterprise* X.509-style PKI is, IMHO, the 
biggest socio-technical security cluster-fuck our industry has come up 
with so far.  It reminds me of communism: it's the perfect system for 
perfect people.  Only problem is, I don't know any perfect people...

Even with full organizational buy-in, and full-spectrum use of smartcards 
to hold certificates, social engineering still works.  Ordinary (physical) 
theft still works.  People still leave their smartcards stuck in their 
keyboards at the end of the day, and their passwords (or keyphrases, or 
whatever you want to call them) written on post-it notes stuck to their 
monitors.  No organizational consequences appear to matter whatsoever - 
I've seen people fired for breach of security, and that usually eliminates 
grossly unsecure behaviour in others - for about a week.

(Note: I have seen one organization deploy certificates more-or-less 
successfully in a limited fashion, but in their deployment loss of a USB 
key immediately compromises the VPN until revoked, thus negating much of 
the benefit.)

I suspect certificates might work in an organization with military 
discipline, or security-oriented organizations.  I believe the NSA, CSIS, 
RCMP, etc. at least *might* be able to use it more effectively.  My 
clients have always been ordinary private-sector enterprises with ordinary 
occurrences of carelessness, corruption, criminality and apathy.

My point is that if you're using LSMB to track the payoffs from smuggling 
state secrets to terrorist groups or something like that, yes, you should 
be using the absolute best security possible.  In fact, I'd recommend 
using something like GnuCash simply because it's easier to encrypt and 
decrypt the single-file XML datastore before and after each use than to do 
so with an entire PostgreSQL database :-).

On the other hand, if you're using LSMB for convenience because it's 
easier to let the program do the math for you instead of adding up all ten 
transactions you do a month in your consulting business... if I can 
convince those people to even *bother* using HTTPS, it's a win.  If I 
could get them to use PPTP, I'd be ecstatic.  I have one client who 
refuses to use a firewall because they "cost too much".  *sigh*

I understand the <1% of attacks that were always dangerous are still going 
to be just as dangerous; it's the other 99% I'd be happy to get rid of.

>From a technical standpoint, you're 100% correct.
>From a social standpoint, insisting on stronger security usually drives 
people into *less* secure habits.
Barricading the front door with steel shutters doesn't matter if you leave 
the back door unlocked.

Possibly relevant is that in my part of the continent, a simple deadbolt 
in an ordinary pane-glass door is considered adequate (commercial) 
physical security.  I still regularly run into companies that do not have 
an alarm system.  Perhaps the social aspects of the problem wouldn't be so 
intractable if this were a less "safe" place to live; I don't know.

If you're reading this and you think you want to use HTTPS to "secure" 
your web application, great!
If you're worried enough to use a VPN of some sort, great!
If you're worried enough to use three-factor authentication instead of 
two-factor, even better!

But don't worry so much about getting security "right" that you don't even 
bother doing anything: something is still better than nothing.

-Adam Thompson
 <..hidden..>
 (204) 291-7950