[techtalk] Almost arrested for using telnet
Magni Onsoien
magnio at pvv.ntnu.no
Mon May 14 09:18:08 EST 2001
Mary Gardiner:
> It would have two problems that I can see:
>
> 1) If you connect to it remotely in http, not https, your password/phrase will
> pass to the webserver in clear text, negating the whole point of ssh.
Mindterm is a java applet, so it runs on your machine (i.e. in your
local browser on your machine), not on the webserver where you get it.
So it works like any other ssh client and encrypts end-to-end.
> 2) There is an untrusted middle party involved - even if you connect to the
> website in https, they decrypt your password/phrase and the ssh connection from
> them to server reencrypts and sends. Hence the server has a chance to grab
> the passphrse. They do talk about 'tunneling' in their FAQ, so perhaps they
> are avoiding this.
Since it's a java applet and thus works like a usual ssh client, your
password is always transmitted encrypted. Like with any other code you
haven't inspected and compiled yourself, you can't know for sure that
nobody has done nasty things to it, you just have to trust the
distributor (in this case, the webserver and its owner).
(A signed applet doesn't solve this, except you may trust that the applet
is really what you think it is, provided that nobody "fixed" it before
it was signed, and that you can trust the signature.)
Magni :)
--
sash is very good for you.
More information about the Techtalk
mailing list