Noratrieb/blog
1
0
Fork 0
mirror of https://github.com/Noratrieb/blog.git synced 2026-01-14 04:25:01 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

undesirable

Browse source
This commit is contained in:
nora 2024-08-22 01:31:45 +02:00
parent ed4d6674b1
commit 3d4c1e10d9
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
content/posts/ssh-security/index.md
View file

@ -146,7 +146,7 @@ For example, if she really cares about this data remaining secret for 50 years,
If she *really* cares about this, she should disable support for it in her configuration, but we want to remain secure even if she forgets this.
Alice's server does support and prefer the latest and greatest ciphers... but what if Eve tricked Alice into believing it didn't support them?
When the server sends its list of supported algorithms, Eve modifies this to only contain 3DES (or some other undesriable cipher).
When the server sends its list of supported algorithms, Eve modifies this to only contain 3DES (or some other undesirable cipher).
When Alice's client advertises her supported ciphers to the server, Eve again modifies it to only contain 3DES.
Now both the server and the client think that the peer only supports 3DES, and select 3DES[^3des-sshd], which is not what Alice would want!
This is called a "downgrade attack", as it downgrades the good security into bad security that can be exploited by Eve.