[nSLUG] Chebucto Security

Richard Bonner ak621 at chebucto.ns.ca
Thu Jan 22 09:49:04 AST 2009


On Wed, 21 Jan 2009, Daniel Morrison wrote:

> 2009/1/21 Richard Bonner <ak621 at chebucto.ns.ca>:
>> On Sun, 18 Jan 2009, Ian Campbell wrote:
>>> On Sat, Jan 17, 2009 at 07:41:06PM -0400, Richard Bonner wrote:

>> Ian Campbell wrote:
>>> I don't use Chebucto, so I have no idea why HTTPS enters into a shell
>>> account at all...
>
>> ***   I assumed it had to be https compliant so as to be able to
>> even get on secure websites.
>
> "https compliant" would mean: a web browser that conforms to the
> standard method of using SSL (TLS) to encrypt what would be otherwise
> an unencrypted 'http' protocol connection.
>
> "lynx" is the web browser that I think you said you use at Chebucto.

***   It is the one provided by Chebucto. Shell server users only have 
two choices, both of which are Lynx versions.


> Until the moment you type "lynx https://my.bank.website.com/" there is
> no concept of 'https compliant', because you haven't run a web browser
> yet.

***   Understood.


> Instead of using Chebucto, you could yell out your back window: "Hey
> you! Run an https compliant browser to this address, type this
> username, and this password! 'K thanks!"
>
> The browser session is https compliant and secure.  However, you
> yelling your username and password credentials out your window is not.
> Dialing up to a shell account at Chebucto is quieter than yelling out
> your window, but if a malicious Chebucto employee wanted to spy on you
> (IF -- we have no reason to think that such a malicious person exists,
> and I'm sure Chebucto staff are honest people) but IF a malicious
> Chebucto employee wanted to spy on you, all they would have to do is
> "listen" closely.  No breaking of encryption required.

***   OK, I see.


>> ***   I don't see that as being any different with any other ISP.
>
> Chebucto:
>
> Your computer ---analog_modem---> chebucto servers ---https_lynx--->
> bank servers
>
> Obviously, everything from your computer to the point where you type
> 'lynx' is not encrypted, and there are (nice and I'm sure honest)
> Chebucto admins in the general area of 'chebucto servers' there, in
> the middle, where there is no encryption going on.  As was pointed out
> above, even _after_ the point you type 'lynx', there might be no
> encryption, as you have no idea if the 'lynx' provided by Chebucto is
> the real lynx, or a clever mock up designed to trick you.  Not likely,
> but it _is_ possible.
>
> "Any other ISP" (i.e. the way _most_ other people do it nowadays, with
> cable or DSL modems):

***   Actually, that is not the case. There are many that cannot 
afford the gouged prices Canadians pay for wide bandwidth 
connections. Then there are the millions that are outside the 
service areas and must use dial-up.


> Your computer ---https_web_browser---> bank servers
>
> The entire transaction, from the moment it leaves your computer, to
> when it arrives at the bank, is encrypted.  There is NO third party
> that has the opportunity to spy on you.  You _know_ that the browser
> is working properly, because _you_ installed it from a reputable
> source.
>
> Very different.

***   It is. Thanks for the enlightment.  (-:


>>>> ***   How might I get such a virus? It can't come down the shell
>>>> server pipe unless I manually download and run an infected executable.
>
>>> No, but few people use their machines as just a terminal.
>
>> ***   I don't either, but for most of my Internet needs, it is fine.
>
> Yes you do.  If you dial into a Chebucto shell account, your computer
> is acting _exactly_ like a terminal.  All the action is happening
> remotely, on the Chebucto server, and your computer is "just a
> terminal".  You CANNOT infect your computer with malicious code unless
> you explicitly download it, and run it.  As you say.

***   Correct.


> If you do _not_ use your computer "just as a terminal" (for the
> purposes of Internet access), then you must be accessing the Internet
> directly from your computer.  Ergo, a flaw in the web browser or email
> client or whatever could potentially cause your computer to run
> malicious code that you never intended to run.

***   I do both. I have shell and PPP accounts. I employ the Arachne 
web browser when I use PPP. As it is designed currently, It will not 
run any code on my system and is strictly used to view web pages.


> If you have trouble working out if your system is a terminal or not,
> ask your self this question: does it matter if my computer is running
> Windoze, MacOS, Linux, or DOS?  If the answer is "no, it doesn't
> matter, because I run the program I want on Chebucto", then you are
> using your computer as "just a terminal".  If the answer is "yes, it
> matters: I need to be sure to use the Windows (or MacOS or Linux or
> DOS) version of Firefox/Thunderbird/whatever" then your computer is
> NOT "just a terminal".
>
> Or another way: if you load a particularly big document, or complex
> web page, does your computer's hard drive light start blinking, making
> noises, perhaps the CPU fan getting faster, because your computer is
> doing more work and getting hot?  Then you're actually using your
> computer to run your programs.  If the answer is "no", the reason is
> that it's Chebucto's computers that start blinking and working hard;
> you're doing the work at Chebucto, and your computer is "just a
> terminal".
>
> -D.

***   Thanks for the description, Daniel. Yes, I already understand 
the differences there. It was the understanding of the encryption
that was lacking.  (-:

  Richard



More information about the nSLUG mailing list