On Fri, Sep 12, 2008 at 2:05 PM, johan beisser <[EMAIL PROTECTED]> wrote: ... > I'm not going to say "It's impossible." It's not. How about "really highly > unlikely" that Eve will pick up enough useful signal to decrypt which > letters are being typed by the user. I know that not everyone uses ssh keys, > or chains authentication back to themselves.. but.. c'mon, be realistic.
This about security. Being realistic means *not* being optimistic that extracting data will be "too hard", "too unlikely", "only applicable to a subset of people [and certainly not me]", etc. Have you not read enough papers that start with something like "It was previously thought that attack [foo] was impractical for the following reasons: [blah blah blah]. This paper demonstrates practical circumstances under which those reasons fail or don't apply and the attack succeeds"? As such, statements of "can't be done" that don't have hard data or proofs attached are pretty much worth the electrons they were sent with. You might not see how the published attack can be made practical against you, but someone else will almost certainly see the next link in making it so. The original posters didn't sound like they were being overly sensationalist, just interested in cutting off a possible avenue of attack *before* it becomes a problem. > Frankly, concern over someone sniffing and discovering your password over > captured ssh traffic pattern analysis is much less likely than someone > shoulder surfing your system password first, or your ssh key passphrase. They're different types of attacks; they have different applicability. Perhaps the timing attack can be done remotely, over a long period of time, and therefore has a much lower risk of detection. Even better, it may be possible to do it 'in bulk', where shoulder-surfing and similar is much harder to parallelize. Philip Guenther
