<< | Thread Index | >> ]    [ << | Date Index | >> ]

To: Jake Appelbaum <jacob,AT,appelbaum,DOT,net>
Subject: Re: About P.Gutmann's critique of CIPE - etc. etc.
From: Les Mikesell <les,AT,futuresource,DOT,com>
Date: 26 Sep 2003 13:54:39 -0500
Cc: Hans Steegers <steegers,AT,steegers,DOT,nl>, cipe-l,AT,inka,DOT,de
In-reply-to: <1064581151.426.114.camel@eris>
Organization:
References: <003901c38425$3fcf1c20$d620a8c0@pcw_hans.hnsasd.priv> <1064581151.426.114.camel@eris>

On Fri, 2003-09-26 at 07:59, Jake Appelbaum wrote:

> Yes, that was what I imagined needed to be said, out loud for everyone
> to hear. The claims of being "industry strength" are not true. Thanks
> for confirming. 
> 
> A statement that if you need something that isn't easily cracked, messed
> with or otherwise useful for anything but kids playing in tree houses
> with string on cans, go somewhere else.

I think you've missed the point of the issue very badly here.  Boxes
running ssh have been much more exposed and many have been compromised
while there is no known exploit yet for cipe.  Over the time cipe has
been working solidly, ipsec implementations have ranged from
non-existent to buggy, to difficult to configure.  Now we might be
at the point where if ipsec will work in your situation you should
look at it.  However there are places where ipsec won't work and
in most places the theoretical exploit for cipe would be quite difficult
to attempt because you must intercept an existing conversation.  If
you are the kind of person who can intercept my Sprint T1 either at
my office or Sprint's, you can also probably manage to break in and
steal a device containing ssh keys or whatever it was you were going
to so much trouble to find. And so far no one has proposed a technique
to do more than inject unexpected packets which could cause trouble
but isn't likely to get anything back for the attacker.

---
  Les Mikesell
    les,AT,futuresource,DOT,com


<< | Thread Index | >> ]    [ << | Date Index | >> ]