[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]
Bryan Stansell bryan@conserver.com
Fri, 27 Sep 2002 12:25:31 -0700 (PDT)
On Fri, Sep 27, 2002 at 01:48:46PM -0500, John R. Jackson wrote: > I threatened to write this all up several months ago :-), but your > letter prompted me to actually do it. See: > > ftp://gandalf.cc.purdue.edu/pub/conserver/README.ssh > > Note: I am by no stretch of the imagination a security person. If anyone > sees anything wrong with what I've done, please sing out. this is so very cool! i hope others out there can benefit from it. i didn't look at it closely, but what i saw was very helpful. i figured i'd also take this opportunity to tell folks that i am making progress in the ssl realm. the server code is in and a "proof-of-concept" of sorts of the client code is working - unfortunately, the client code has to be adjusted more than i realized so it too can take advantage of encryption. i also want to warn folks that i'm not putting in any certificate exchange/validation (which would require folks to build certs for the server) into the code (yet). this exposes (according to the book) the app to man-in-the-middle attacks (and maybe other types of attacks that i don't remember, but i don't think so). i'm planning on adding certs as an optional step, but the first round of code (call it alpha or beta or whatever) will leave it out. i'd just like to see an encrypted (however nonauthenticated) session - and figured that would make a lot of other folks happy as well. i'll make patches available as soon as i get to a stable point and find an internet cafe that lets me attach my laptop so i can upload them. ;-) Bryan