[mosh-devel] [mosh-users] Logging from mosh-server
Jim Cheetham
jim.cheetham at otago.ac.nz
Wed Jan 8 00:22:07 EST 2014
Oh, and the other thing I should mention is that I tend to talk over-time, so I'll try really hard to speed up & leave some Q&A access: if I have said anything materially inacccurate during the talk it would be handy if you could pop that into IRC, so we can do corrections as well as Q&A :-)
-jim
Keith Winstein <keithw at mit.edu> wrote:
On Wed, Jan 1, 2014 at 11:06 PM, Jim Cheetham <jim.cheetham at otago.ac.nz> wrote:
> Currently I'm on at 13:20 WST (Perth, Australia) on Thursday 9 Jan. I don't
> know your timezone, but that'll be between 9pm and midnight on *Wednesday*
> for the US
> (http://www.timeanddate.com/worldclock/fixedtime.html?msg=lca2014mosh&iso=20140109T13&p1=196).
> If you could start up a new IRC channel for this, I'll pop it up onscreen
> during the Q&A.
Ok, Jim, let's do it in #moshqa on irc.freenode.org. I'll be there.
If I understand your concern correctly, you are concerned that the
mosh-server will decode IP datagrams with any source address. By
contrast, SSH relies on TCP, which only looks at incoming IP datagrams
with a particular source address.
I think where we disagree is that we do not think TCP's filtering by
IP source address has a material effect on security. You
cannot trust that the IP source address is accurate. In general, one
should assume that a bad guy who exfiltrates the SSH session key OR
the Mosh session key can take control of the user's account on the
server. Both session keys (SSH and Mosh) hold the "keys to the
kingdom" in this respect. Of course if a site takes extra steps to make
the IP source address trustworthy (e.g. by requiring packets to come
from an authenticated VPN), both protocols benefit to some degree.
In general, compared with SSH, we think the security of a long-running
Mosh session is probably better because (a) Mosh's AEAD cryptography is
thought to be safer, (b) Mosh authenticates the framing of each
datagram, so is not vulnerable to fake RST and similar DOS attacks (c)
Mosh's design is simpler and more conservative (e.g., Mosh has no code
running as root), and (d) so far Mosh's emprical security track record is
better. Time will tell on all these things, and of course it's
appropriate that the security community take its time getting
comfortable with Mosh -- we welcome the scrutiny and are happy to
participate.
Looking forward to your presentation and answering questions if I can help.
Best regards,
Keith
More information about the mosh-devel
mailing list