[nSLUG] Netscape

Ian Campbell ian at slu.ms
Sat Jan 17 21:51:17 AST 2009

On Sat, Jan 17, 2009 at 07:41:06PM -0400, Richard Bonner wrote:
> ***   Chebucto's shell server is https compliant; would it not have 
> to have security in place in order to be so?

I don't use Chebucto, so I have no idea why HTTPS enters into a shell
account at all... but if you SSH to the chebucto shell server and then
run lynx to your banks HTTPS website, you're still vulnerable to
someone who controls the shell server. They could trojan SSH, trojan
lynx, they could leave both intact and trace the browser, they could
even install a fake cert and redirect you to some random site, unless
you're in the habit of comparing the certificate fingerprints to a
known good set every time you'll be none the wiser.

... so no, you're not really any better off.

>     As for their volunteers, none are far enough up in the organisation 
> that they would have access to personal accounts. Theoretically, some 
> employees at any ISP must have such access. There must be safeguards 
> in place.

There *should* be safeguards in place, that's quite a stretch from
"must" though. Even if they're there, even if they're trustworthy (and
I'm sure they are, sorry Chebucto people), you're still adding another
system into the loop that I guarantee goes under less scrutiny than a
bank's systems.

Besides, policy safeguards only protect you from people with
legitimate access, what about people with access they shouldn't have?
What if someone compromises the machine... or just your account for
that matter.

> ***   How might I get such a virus? It can't come down the shell 
> server pipe unless I manually download and run an infected executable.

No, but few people use their machines as just a terminal.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://nslug.ns.ca/mailman/private/nslug/attachments/20090118/30f1ede2/attachment-0002.pgp>

More information about the nSLUG mailing list