Post a reply

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

chrislong2

Thank you Martin. :)
martin

chrislong2 wrote:

So basically, those 2 options will just blindly accept whatever cert or key is presented (though still requiring a cert in the case of FTP TLS/SSL). Thus s spoof/MITM attack could be successful if the network traffic is redirected to a different server. If my understanding is incorrect, please correct me. Otherwise, thanks! :)

Yes, that's correct. Except that the "redirected to a different server" can be misleading. The attacker can operate like a proxy only. So you while you are indeed connected to a different "server", you can get the look and feel of your actual server.
chrislong2

I had read that awhile back but just read again.

So basically, those 2 options will just blindly accept whatever cert or key is presented (though still requiring a cert in the case of FTP TLS/SSL). Thus s spoof/MITM attack could be successful if the network traffic is redirected to a different server. If my understanding is incorrect, please correct me. Otherwise, thanks! :)
chrislong2

Question on GiveUpSecurityAndAcceptAnyTlsHostCertificate

Hi Martin,

First, thank you for WinSCP, yada yada yada :) :) Seriously - you are swesome!

A Question: My understanding on GiveUpSecurityAndAcceptAnyTlsHostCertificate (and the related GiveUpSecurityAndAcceptAnySshHostKey) is that it accepts any TLS/SSL certificate as valid.

You mention though (and I found a few forum posts from you) where you say that this is bad security, almost like being completely insecure.

I do not fully understand this. Correct me if I am wrong, but if you use these options, then the TLS/SSL (or host key) is still used and required, it's just that it will blindly accept whatever certificate or key the server presents, right?

The only way that would be insecure then is if the certificate or key was maliciously replaced on the server, correct? As long as the cert or key presented by the server is legitimate on the server, then using that option is not any less secure then specifying the specific cert/key to use by fingerprint, right?

That is what I assume, but some of your posts make me wonder if I have missed something and that really these options do something else also that make the connection not be secure.

I agree that using these do open the potential for the connection to be insecure and their use should generally be discouraged in most cases (though there can be legitimate uses for them). But I'm just trying to get my handle on the exact effect of using these options.

Thanks,
Chris