ARP-spoofing defense
Topher Fischer
javert42 at cs.byu.edu
Wed Mar 14 14:12:55 MDT 2007
Michael L Torrie wrote:
> On Wed, 2007-03-14 at 10:07 -0700, Nicholas Leippe wrote:
>
>> This is an optimization. Your host does this with the idea that if you do
>> decide to talk to one of these machines from which it has already seen ARP
>> traffic, it can skip that step.
>>
>> As for man-in-the middle, playing with ARP can cause disruption of services,
>> and could intercept insecure protocols. Which is why for critical data, ssl
>> or other secure mechanism should be used.
>>
>
> Additionally this is why SSL uses certificates that should be verified
> to prove that the host is who it says it is. Also ssh key fingerprints
> should always be verified. How often do we ssh into a box and just
> automatically type "yes" to the fingerprint authorization?
>
> Michael
>
Well, this makes me wonder. Is there a standard way to configure ssh to
use certificates, and for clients to maintain a list of trusted CAs and
trusted certificates?
--
Topher Fischer
GnuPG Fingerprint: 3597 1B8D C7A5 C5AF 2E19 EFF5 2FC3 BE99 D123 6674
javert42 at cs.byu.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 251 bytes
Desc: OpenPGP digital signature
Url : http://plug.org/pipermail/plug/attachments/20070314/5a50c5ff/signature.pgp
More information about the PLUG
mailing list