On Mon, 25 Jun 2012 14:59:05 -0700 Doug Barton wrote: > >> Having a copy of the host key allows you to do one thing and one > >> thing only: impersonate the server. It does not allow you to > >> eavesdrop on an already-established connection. > > > > It enables you to eavesdrop on new connections, > > Can you describe the mechanism used to do this?
Through a MITM attack if nothing else > > > and eavesdroppers > > are often in a position to force reconnection on old ones. > > If you can get on the network link between the client and the host, > yes, you can force an existing connection to drop. But that doesn't > require the host's secret key. I didn't say it did, I was referring to the statement: "It does not allow you to eavesdrop on an already-established connection." > >> If the server is set up to require key-based user authentication, > >> an attacker would also have to obtain the user's key to mount an > >> effective man-in-the-middle attack. > > > > If an attacker is only interested in a specific client, it may not > > be any harder to break the second public key, than the first one. > > Well that's just plain nonsense. The moon "may" be made of green > cheese. It depends on the nature of the attack, but the possibility that two arbitrary keys are of similar strength under a specific attack is not on a par with the moon being made of cheese. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
