|
What does the message "warning connection not secure" mean?Last revision June 29, 2004 Whenever you do a plain text telnet login to pangea, you will now get a warning message that your connection is not secure. Such logins can be made with any telnet client software from any type of remote computer or terminal. During a plain text telnet login, everything that you type -- including your pangea password -- is transmitted across the network in plain text. Thus, there is the possibility that someone could "spy" on that network traffic and capture your password. This is a favorite tactic of hackers who have broken into one computer on a network and want to capture the passwords for users on other computers on the same network. The design of the network in Earth Sciences reduces the risk that a hacker will be able to spy on our network traffic and capture passwords when you login from your office to pangea. But the risk is very high for logins from remote sites, including logins from Escondido Village, and there have been many incidents where pangea passwords have been captured by hackers from such remote logins. The best way to prevent hackers from capturing passwords on networks is to use a form of encrypted login. Encrypted logins use practically unbreakable codes to encrypt not just your password, but everything you type during your session, so that it is unreadable by anyone who might be spying on the network. Of course, to use a form of encrypted login, you need to install special software on your local computer. The preferred form of encrypted login at Stanford is called kerberos. Your SUNet ID and password are recognized by the kerberos authentication servers on campus, and can be used to login to the leland systems, pangea, many of the Unix workstations in the School of Earth Sciences, and certain restricted web pages. To use kerberos from a desktop computer, you must install the MacLeland/Samson programs on a Macintosh, or the PCLeland/Samson programs on a PC running Windows. These programs are available from these web pages:
http://www.stanford.edu/group/itss/macstanford MacLeland or PCLeland is the system extension that pops up a dialog box on your screen to request your SUNet ID and password, and then encrypts them before passing them onto the kerberos authentication servers and the computer that you want to login to. Samson is the telnet login programs that know how to work with MacLeland/PCLeland. You must have the combination (MacLeland/Samson or PCLeland/Samson) to make kerberos encrypted telnet logins to pangea or the central systems. Unfortunately, telnet logins (where you get a pangea command line prompt) are not the only kind of login to pangea that may expose a password to hackers on the network. Here are some other kinds of logins that can send your password across the network in plain text:
Once you have MacLeland or PCLeland installed, you can configure Eudora to use kerberos for authentication and thus eliminate another possible source of password capture. Check these Eudora instructions on the web:
http://www.stanford.edu/group/itss/macstanford/install_eudora.html
These instructions are written for folks who use the leland systems to receive email. They also work for folks receiving their email on pangea, except that you should enter pangea.stanford.edu when configuring Eudora wherever the instructions say to enter userid.pobox.stanford.edu or leland.stanford.edu. If you need help installing MacLeland or PCLeland or configuring Eudora to use kerberos logins, you can submit a HelpSU request at 5-8181 or using the web form at Kerberos logins do not work well unless your pangea account name is the same as your SUNet ID. All pangea accounts created during the last two years have been made the same as the user's SUNet ID. But folks who have been around for a while may have a pangea account name that is different from their SUNet ID. In those cases, contact the system manager to change your pangea account to match your SUNet ID. Your old pangea name can be retained as a mail alias, so email sent to that old name will still reach you. The MacLeland or PCLeland kerberos programs will also work with Outlook, Outlook Express and Netscape Communicator mail through a method known as proxy localhost. See the MacLeland or PCLeland instructions to set it up. Otherwise, logins to read mail with these programs will send your password plain text over the network. Also remember that Outlook and Outlook Express are the favorite target of email virus writers. Because of that, their use is strongly discouraged. There is no method yet to use kerberos logins for X-terminal, ftp or AppleShare connections. All these forms of non-kerberized connections to pangea use your local pangea password, not your SUNet ID password. The local pangea password is the one you set when you first got your pangea account. Because that local password is used for these types of plain text logins, and is vulnerable to capture by a hacker, the local password should NEVER be the same as your SUNet ID password. If you have a Unix workstation in your group, you can install both the kerberos client software, which lets you make kerberized encrypted telnet or rlogin connections to other computers, and the kerberos server software, which allows you to make kerberized logins into your workstation from remote sites. Ask Kai Lanz for help to install kerberos software on a Unix workstation. Another method of encrypted login is called ssh. This is a public domain encryption method. Telnet login client software that uses ssh is available from freeware or shareware software archives for the PC Windows platform and for most Unix systems. Ssh version 1 is installed on pangea and pangea will accept ssh logins. For ssh logins, you use your local pangea password, NOT your SUNet ID password.
|
