When OpenSSL become a MITM


(James Lei) #1

How does Server Side Swift validate the critical components and libraries
to assure the compiled code does not contain backdoors and MITM?

I found there is a rogue patch
https://github.com/jtesta/ssh-mitm


#2

1. First of all OpenSSH != OpenSSL
2, It is the sysadmins’ responsibility to install software/package from trusted source
3. the patch you share is a patch to weaponize ssh instead of injecting malicious code and create backdoor to the local sshd.
4. It is the users’ freedom to launch an attack (in this case).
5. unless we force users stick with the exact version of the SSL library, there’s no way to validate it as i know (which in fact make it less secure the users’ are less likely to receive latest patch on time).

It’s like asking how to validate a compiler does not to inject malicious instructions to the binary.

Cheers

···

On May 17, 2017, at 7:00 PM, Joy Keys via swift-server-dev <swift-server-dev@swift.org <mailto:swift-server-dev@swift.org>> wrote:

How does Server Side Swift validate the critical components and libraries to assure the compiled code does not contain backdoors and MITM?

I found there is a rogue patch
https://github.com/jtesta/ssh-mitm