[mosh-users] Logging from mosh-server

[Keith Winstein]

On Wed, Dec 18, 2013 at 4:51 PM, Jim Cheetham <jim.cheetham at otago.ac.nz>wrote:

> There's another case I touched on in that speculative malware section
> above; I'm assuming that if the bad guys get the session key, all they
> have to do it to create a "bigger" sequence number and they are
> automatically more preferred than the real client. Is that correct? Are
> smaller sequence numbers logged as bogus? How big can the sequence
> numbers go, what happens when the number wraps back to zero?


Hello Jim,

Yes, if a malefactor gets a hold of the session key it is game over from a
security perspective. Mosh 1.2.1 used to log out-of-order packets and warn
the user about them, but it turns out these are common on some wireless
links (e.g. 802.11n), so we turned off the warning. I'm open to restoring a
warning about "grossly" out-of-order packets, but I doubt it will do much
good -- if a bad guy can execute with the user's privileges to steal the
session key, that's a big problem. If the badguy is running as the user,
they could start up a fresh SSH or Mosh (or anything) connection and log in
from anywhere -- no need to hijack an existing connection, although they
could do that too.

A sequence number is a 63-bit unsigned integer. There's no wraparound. A
legitimate SSP sender will simply end the connection after two petabytes of
data have been sent to preserve the authenticity and privacy of the AES-OCB
stream. There is no key renegotiation.

Some people in the #mosh IRC channel were discussing your upcoming
presentation at linux.conf.au -- it looks very relevant! Would you be
willing to share your conclusions with the list? We are proud of Mosh's
security record so far and interested to work with the security community
as people get more experience with Mosh.

Best regards,
Keith
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mosh-users/attachments/20131226/433665e0/attachment.htm