[nSLUG] Chebucto Security

Jason Kenney jdkenney at gmail.com
Wed Jan 21 15:21:55 AST 2009


>> This is hardly unique to Chebucto. All organizations have this problem.
>> At least if it is a person at the bank then the bank is liable for the
>> fraud. A malicious worker at an ISP is going to have a harder time as
>> the traffic seen by the ISP is already encrypted.
>>
>> Security is all about trade offs. By using Chebucto to access your bank
>> you reduce some of the risks, but you gain other risks. When using a
>> Chebucto shell account (or a computer in a library, coffee shop,
>> neighbour's house, etc.) you must trust the integrity of that system.
>> You must trust the system administrators. You must trust the casual
>> office staff.
>
> ***   Understood. So how is a PPP connection any more secure?
>
>

The difference is where the encryption is taking place.  If you are a
dial-up user over PPP, your browser on your computer is the one doing
the encrypting, before it gets sent out over the network to the ISP to
be routed into the Internet.  You are trusting the integrity of your
own computer.

If you connect to Chebucto via dial-up to the shell and use lynx, then
there is no encryption until the lynx browser *on the Chebucto server*
encrypts the traffic.  The traffic from your computer to the Chebucto
server is unencrpyted.  The traffic leaving Chebucto for the Internet
is still encrypted.  You are trusting the integrity of the Chebucto
server.

In this case I would argue you don't need to trust the integrity of
your own computer so much, as you don't have a direct connection to
the internet - while it would be possible to write a
trojan/virus/keylogger that would capture and transmit this
information to an attacker, it would be *significantly* more involved,
and the pool of victims is minimal.  I suspect no such malicious
software exists to this end.


If you connect to Chebucto via some other method, either their PPP
service or by telnet/ssh, then you have the worst of the two above
scenarios.  You must trust the integrity of both.


Jason



More information about the nSLUG mailing list