[an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] (none) [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] (none) [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive]
 
[an error occurred while processing this directive] [an error occurred while processing this directive]
Skåne Sjælland Linux User Group - http://www.sslug.dk Home   Subscribe   Mail Archive   Forum   Calendar   Search
MhonArc Date: [Date Prev] [Date Index] [Date Next]   Thread: [Date Prev] [Thread Index] [Date Next]   MhonArc
 

Re: [SIKKERHED] Annoncere hvilket OS der køres



On Thu, May 27, 2004 at 11:49:23AM +0200, Peter Makholm wrote:
> 
> > Well, there clearly needs to be some sort of protocol version
> > negotiation, if the two parts are going to speak same version of the
> > protocol, and understand each other.
> 
> HTTP virker ganske godt ved at klienten spørger: "Vil du snakke
> HTTP/1.1 med mig?"

So, you turn the problem around, and have the client announce what it
wants to talk. Then we have the problem of malicious servers attacking
innocent clients, instead of malicious clients attacking innocent
servers. Possibly a slightly less serious problem, but not by much.

> For services der køre på standard-porte er det korrekt at det ikke
> giver den store fordel, men hvis nu jeg havde et behov for at køre en
> bestemt version af SSH ville det være rart at kunne gøre det på en
> ikke-standard port og så ikke nødvendigvis at fortælle det til en
> tilfældig port-skanner.

I don't know much about port scanners, but if they recognize that there
is an SSH server on that port, they can also do the part of negotiation
that establishes the protocol version.

All in all, this sounds like security by obscurity. A bit of information
hiding is all right, but nothing should depend on it. And IMHO it is of
so little practical use, that there is no need to mandate it.

So, with all respect, I disagree with your statement that announcing
version numbers in the handshake should be forbidden!

- Heikki

-- 
Heikki Levanto    heikki at indexdata dot dk   "In Murphy We Turst"


 
Home   Subscribe   Mail Archive   Index   Calendar   Search

 
 
Questions about the web-pages to <www_admin>. Last modified 2005-08-10, 20:47 CEST [an error occurred while processing this directive]
This page is maintained by [an error occurred while processing this directive]MHonArc [an error occurred while processing this directive] # [an error occurred while processing this directive] *