On Wed, Jan 23, 2002 at 11:50:49PM +0100, Thomas Steffen wrote: > Dan Stromberg <[EMAIL PROTECTED]> writes: > > > I realize ssh can encrypt X traffic, but that isn't much help for a > > typical enduser with an X terminal, for example. > > Nothing you do would be much help to them (present X terminal users), > either, I guess :-)
Unless the default for X connections became "encrypt if both ends support it, otherwise silently do the old way" or "encrypt if both ends support it, otherwise give a one-line nag and do the old way". > > Would this mean a modification to the X server and Xlib? > > Yes, both, obviously. I'm not new to programming, but I've never done a project inside of X. X apps, sure, and some very low level systems programming, but I think this is different enough from both that I'd better consult people with more experience before thinking about ploughing in. > > Could it be done transparently to X applications (other than xhost)? > > If ssh can do it, why shouldn't you? Just making sure. > > Would a server extention be the best way to make the feature > > available as an option? > > I would compare it to the low bandwidth extension lbx, which is about > compression, not encryption, but very similar in concept. lbx uses a > proxy on the client side, though there have been rumors of integration > it into Xlib for ages. I'd hate to require a proxy. It has to be a total no brainer for endusers to make much of a difference. > > Would AES be the right encryption algorithm? If yes, are there any > > suitably-licensed implementations of AES available already? > > I am not a crypto expert, but this is certainly a serious problem. You > have real time constraints, timing may be important for security. Then > again you have to guard against faked identification, sniffing and man > in the middle attacks... I agree, timing is an issue. I'm not that worried about MITM attacks, but might try to guard against them if there's a big howling about better security that isn't perfect security. > Actually ssh could be a nice starting point :-) I have my doubts. But I'm listening. > > Or would it make more sense to act a bit like xauth, for ease of > > implementation? > > You have to deal with xauth, or where shall the initial authentication > come from? I have a suspicion it could be done orthogonally to both xhost and xauth, and any other auth system in use. > > Are there legal ramifications to the free distribution of XFree86 if > > this kind of encryption is encorporated into it? > > Yes, very much so, so it probably wont go into the tree. You have to > distribute it separately. This could kill the project. Does everyone agree such an improvement couldn't go into the main tree? > So what again is the problem with ssh? The other guy had it right - it has to be a no brainer, and work on a true X terminal. I use ssh for my stuff, but that doesn't help people with real X terminals. -- Dan Stromberg UCI/NACS/DCS
msg03502/pgp00000.pgp
Description: PGP signature
