[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Remote login
- Subject: Re: Remote login
- From: "Adam Thompson" <..hidden..>
- Date: Sun, 28 Mar 2010 22:21:22 -0500
> I disagree.
> If you are using passwords with SSH, IPsec (PSK), or OpenVPN, then it
> is equivalent to HTTPS using passwords. Sure there are some minor
> differences in terms of resistance to SYN attacks, and stuff like
> that, but I think that is minor.
> What I'm implying is that if you are not using client-side
> certificates/RSA-keys for your SSH, IPsec or OpenVPN security (on top
> of your port-80 ledgersmb), then it's not really very secure at all.
> You might as well stick with HTTPS using passwords.
I don't agree with your premise: it assumes all attackers are equal and
all threat scenarios are equal, and ignores the near-impossibility of
getting users to behave in a consistently secure fashion.
Attempting to attack a service delivered over HTTPS is trivial for most
people - at the application (or possibly web server) level, anyway.
Triviality means there is an army of minimally skilled, bored people
("script kiddies", colloquially) with nothing better to do than attempt to
run automated vulnerability scans on the entire internet.
Using IPSec or OpenVPN, regardless of implementation details, immediately
restricts the pool of potential attackers to persons of at least medium
skill level - and more importantly, of at least medium *interest* in
attacking you. I have the skill to attempt some of the more trivial
attacks on a service secured by IPSec or OpenVPN, but I have no interest
in doing so. (I could probably learn how to do more sophisticated
attacks, but again, no interest.)
While I am emphatically not a security "expert", I've been part of enough
security teams for enterprises and ISPs to have seen and dealt with the
raw numbers: this doesn't follow the 80% rule, the distribution is more
like 99% unskilled/1% skilled.
Of the 1% of attackers that are *somewhat* skilled (including myself),
perhaps 1% of those are interested enough to have developed any
significant knowledge of how to attack SSH tunnels (OK, that one's
probably a bit more popular), IPSec or OpenVPN. Of those, some probably
unknowable, but equally probably very small, percentage are good enough to
succeed in the general case.
Even if I'm off by an order of magnitude, that's still ?% of 10% of 10% of
all attackers, or somewhere under 1% of all attacks.
As you point out, using OpenVPN or SSH secured only by password is
essentially "security by obscurity".
Security by obscurity isn't a theoretically valid approach, and doesn't
help you one bit in practice against someone who actually wants to see
your data, but it does eliminate a surprisingly large percentage of
"drive-by" hackings. Just running a web server on something other than
port 80 immediately cuts your exposure by about 75%! Yes, that only
eliminates the 75% most incompetent or most disinterested attackers, but
that does not mean the remaining 25% become any more dangerous - they're
still exactly as dangerous as before.
The flip side of this is that I have been involved in several (including
doing the design of one) certificate-based AAA systems, mostly X.509
PKI-based. The traditional *enterprise* X.509-style PKI is, IMHO, the
biggest socio-technical security cluster-fuck our industry has come up
with so far. It reminds me of communism: it's the perfect system for
perfect people. Only problem is, I don't know any perfect people...
Even with full organizational buy-in, and full-spectrum use of smartcards
to hold certificates, social engineering still works. Ordinary (physical)
theft still works. People still leave their smartcards stuck in their
keyboards at the end of the day, and their passwords (or keyphrases, or
whatever you want to call them) written on post-it notes stuck to their
monitors. No organizational consequences appear to matter whatsoever -
I've seen people fired for breach of security, and that usually eliminates
grossly unsecure behaviour in others - for about a week.
(Note: I have seen one organization deploy certificates more-or-less
successfully in a limited fashion, but in their deployment loss of a USB
key immediately compromises the VPN until revoked, thus negating much of
I suspect certificates might work in an organization with military
discipline, or security-oriented organizations. I believe the NSA, CSIS,
RCMP, etc. at least *might* be able to use it more effectively. My
clients have always been ordinary private-sector enterprises with ordinary
occurrences of carelessness, corruption, criminality and apathy.
My point is that if you're using LSMB to track the payoffs from smuggling
state secrets to terrorist groups or something like that, yes, you should
be using the absolute best security possible. In fact, I'd recommend
using something like GnuCash simply because it's easier to encrypt and
decrypt the single-file XML datastore before and after each use than to do
so with an entire PostgreSQL database :-).
On the other hand, if you're using LSMB for convenience because it's
easier to let the program do the math for you instead of adding up all ten
transactions you do a month in your consulting business... if I can
convince those people to even *bother* using HTTPS, it's a win. If I
could get them to use PPTP, I'd be ecstatic. I have one client who
refuses to use a firewall because they "cost too much". *sigh*
I understand the <1% of attacks that were always dangerous are still going
to be just as dangerous; it's the other 99% I'd be happy to get rid of.
>From a technical standpoint, you're 100% correct.
>From a social standpoint, insisting on stronger security usually drives
people into *less* secure habits.
Barricading the front door with steel shutters doesn't matter if you leave
the back door unlocked.
Possibly relevant is that in my part of the continent, a simple deadbolt
in an ordinary pane-glass door is considered adequate (commercial)
physical security. I still regularly run into companies that do not have
an alarm system. Perhaps the social aspects of the problem wouldn't be so
intractable if this were a less "safe" place to live; I don't know.
If you're reading this and you think you want to use HTTPS to "secure"
your web application, great!
If you're worried enough to use a VPN of some sort, great!
If you're worried enough to use three-factor authentication instead of
two-factor, even better!
But don't worry so much about getting security "right" that you don't even
bother doing anything: something is still better than nothing.