[swift-server-dev] When OpenSSL become a MITM

Michael Chiu hatsuneyuji at icloud.com
Wed May 17 22:03:33 CDT 2017


1. First of all OpenSSH != OpenSSL
2, It is the sysadmins’ responsibility to install software/package from trusted source
3. the patch you share is a patch to weaponize ssh instead of injecting malicious code and create backdoor to the local sshd.
4. It is the users’ freedom to launch an attack (in this case).
5. unless we force users stick with the exact version of the SSL library, there’s no way to validate it as i know (which in fact make it less secure the users’ are less likely to receive latest patch on time).

It’s like asking how to validate a compiler does not to inject malicious instructions to the binary.

Cheers

> On May 17, 2017, at 7:00 PM, Joy Keys via swift-server-dev <swift-server-dev at swift.org <mailto:swift-server-dev at swift.org>> wrote:
> 
> How does Server Side Swift validate the critical components and libraries to assure the compiled code does not contain backdoors and MITM?
> 
> I found there is a rogue patch
> https://github.com/jtesta/ssh-mitm <https://github.com/jtesta/ssh-mitm>
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.swift.org/pipermail/swift-server-dev/attachments/20170517/239b46eb/attachment.html>


More information about the swift-server-dev mailing list