[nSLUG] Netscape

Daniel Morrison draker at gmail.com
Wed Jan 21 20:43:15 AST 2009


2009/1/21 Richard Bonner <ak621 at chebucto.ns.ca>:
> On Sun, 18 Jan 2009, Ian Campbell wrote:
>> On Sat, Jan 17, 2009 at 07:41:06PM -0400, Richard Bonner wrote:

>>> ***   Chebucto's shell server is https compliant; would it not have
>>> to have security in place in order to be so?

>> I don't use Chebucto, so I have no idea why HTTPS enters into a shell
>> account at all...

> ***   I assumed it had to be https compliant so as to be able to
> even get on secure websites.

"https compliant" would mean: a web browser that conforms to the
standard method of using SSL (TLS) to encrypt what would be otherwise
an unencrypted 'http' protocol connection.

"lynx" is the web browser that I think you said you use at Chebucto.

Until the moment you type "lynx https://my.bank.website.com/" there is
no concept of 'https compliant', because you haven't run a web browser
yet.

Instead of using Chebucto, you could yell out your back window: "Hey
you! Run an https compliant browser to this address, type this
username, and this password! 'K thanks!"

The browser session is https compliant and secure.  However, you
yelling your username and password credentials out your window is not.
 Dialing up to a shell account at Chebucto is quieter than yelling out
your window, but if a malicious Chebucto employee wanted to spy on you
(IF -- we have no reason to think that such a malicious person exists,
and I'm sure Chebucto staff are honest people) but IF a malicious
Chebucto employee wanted to spy on you, all they would have to do is
"listen" closely.  No breaking of encryption required.

>> but if you SSH to the chebucto shell server and then
>> run lynx to your banks HTTPS website, you're still vulnerable to
>> someone who controls the shell server. They could trojan SSH, trojan
>> lynx, they could leave both intact and trace the browser, they could
>> even install a fake cert and redirect you to some random site, unless
>> you're in the habit of comparing the certificate fingerprints to a
>> known good set every time you'll be none the wiser.
>
> ***   I don't see that as being any different with any other ISP.

Chebucto:

Your computer ---analog_modem---> chebucto servers ---https_lynx--->
bank servers

Obviously, everything from your computer to the point where you type
'lynx' is not encrypted, and there are (nice and I'm sure honest)
Chebucto admins in the general area of 'chebucto servers' there, in
the middle, where there is no encryption going on.  As was pointed out
above, even _after_ the point you type 'lynx', there might be no
encryption, as you have no idea if the 'lynx' provided by Chebucto is
the real lynx, or a clever mock up designed to trick you.  Not likely,
but it _is_ possible.

"Any other ISP" (i.e. the way _most_ other people do it nowadays, with
cable or DSL modems):

Your computer ---https_web_browser---> bank servers

The entire transaction, from the moment it leaves your computer, to
when it arrives at the bank, is encrypted.  There is NO third party
that has the opportunity to spy on you.  You _know_ that the browser
is working properly, because _you_ installed it from a reputable
source.

Very different.

>>> ***   How might I get such a virus? It can't come down the shell
>>> server pipe unless I manually download and run an infected executable.

>> No, but few people use their machines as just a terminal.

> ***   I don't either, but for most of my Internet needs, it is fine.

Yes you do.  If you dial into a Chebucto shell account, your computer
is acting _exactly_ like a terminal.  All the action is happening
remotely, on the Chebucto server, and your computer is "just a
terminal".  You CANNOT infect your computer with malicious code unless
you explicitly download it, and run it.  As you say.

If you do _not_ use your computer "just as a terminal" (for the
purposes of Internet access), then you must be accessing the Internet
directly from your computer.  Ergo, a flaw in the web browser or email
client or whatever could potentially cause your computer to run
malicious code that you never intended to run.

If you have trouble working out if your system is a terminal or not,
ask your self this question: does it matter if my computer is running
Windoze, MacOS, Linux, or DOS?  If the answer is "no, it doesn't
matter, because I run the program I want on Chebucto", then you are
using your computer as "just a terminal".  If the answer is "yes, it
matters: I need to be sure to use the Windows (or MacOS or Linux or
DOS) version of Firefox/Thunderbird/whatever" then your computer is
NOT "just a terminal".

Or another way: if you load a particularly big document, or complex
web page, does your computer's hard drive light start blinking, making
noises, perhaps the CPU fan getting faster, because your computer is
doing more work and getting hot?  Then you're actually using your
computer to run your programs.  If the answer is "no", the reason is
that it's Chebucto's computers that start blinking and working hard;
you're doing the work at Chebucto, and your computer is "just a
terminal".

-D.



More information about the nSLUG mailing list