Ira,
Sorry, I guess I forgot to re-subscribe to the IDS list post-Apple, but I have some issue with the following text in section 12.7.17 on SSH:
Note: SSH is inherently dangerous, because implementation or configuration errors can allow privilege escalation and unconstrained remote shell capabilities on target systems. SSH has major security flaws and has often been used for widespread Internet attacks by intelligence agencies and criminal organizations. Therefore, SSH is unsuitable for use in any HCD.
SSH is an Internet Standard and is IMHO the only viable solution for a remote "shell" interface. Honestly I wouldn't want any vendor to try to invent their own "secure" solution (you know what happens then...)
I would much prefer that the PWG talk about *what* the actual security considerations are and not focus on historical issues that have a) been fixed and b) affected specific implementations of SSH and not the protocol itself.
For example:
Note: The Secure Shell protocol is a common target for exploitation by malicious actors. See section 9.X for a discussion of the security considerations of providing an SSH service on an HCD.
and then:
9.X Secure Shell (SSH) Considerations
HCDs that provide a SSH service MUST NOT enable a common default password and MUST restrict the commands that can be executed to those needed for maintenance of the HCD that cannot be supported through other standard protocols.
We can debate what the full text should be, but IMHO the focus should be that a) SSH is a common target, b) SSH (like all HCD software) needs to be updated to address security issues, and c) SSH should not provide general access to the device. Ideally it shouldn't be needed, but some HCDs are complex enough that a service tech might need to dig a bit to configure/fix things.
________________________
Michael Sweet
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ids/attachments/20200204/4ad3dd91/attachment.html>