[ntp:questions] Re: 4.2.1-RC

David Woolley david at djwhome.demon.co.uk
Tue Mar 28 21:07:18 UTC 2006

In article <slrne2if0a.lci.kostecke at stasis.kostecke.net>,
Steve Kostecke <kostecke at ntp.isc.org> wrote:

> Using SSL keeps clear-text passwords off the wire.

Given that, for most of the network, doing an OSI layer 1 passive tap
requires specialist hardware (and in some cases may be almost impossible),
whereas doing a layer 4 active tap can be done with standard hardware
and slightly tweaked software, that sounds like a false sense of
security to me.  (In fact, with a little bit of social engineering,
of the phishing variety, the layer 4 tap can be done on a standard PC
anywhere in the world.)

Without authentication, there is nothing preventing a layer 4 upwards
active tap, by anyone who can gain physical access anywhere on the path,
or can social engineer you.

More information about the questions mailing list