Fixing the Problem
This article hopes to set a baseline of understanding on these topics:
- What SSH can do
- How SSH can encrypt other applications normally left unencrypted
- How good security intentions can lead to bad security design
- How unmonitorable an SSH attack can be
- How pervasive SSH technology can be, such that we may find bad SSH security designs hidden among the web server farms
Having covered this much ground, it’s important to consider all the factors and work on a better security plan. Review this material and see how many controls you can come up with that jibe with my suggestions. Consider adding to the comments section so that all of us can partner on an Internet-driven solution.
For the record, I’ve been a server administrator, a web site administrator, a firewall administrator, etc. I’m even a has-been developer now making penance for my earlier foolish escalations. I’m not singling out any particular type of administrators for abuse. We all have a job to do, and when we work together, the job’s done well. As single-minded individuals pressing our own needs in front of others, however, we get into these terrible security designs. So let’s make this the first step to a solution: all the parties coming together to understand the problem better.