Using secure authentication

In 2004, the e-Berkeley Steering Committee agreed to adopt a set of minimum security standards to which all Berkeley computers must adhere. The standards include the following language related to secure authentication:

Unencrypted device authentication mechanisms are only as secure as the network upon which they are used. Traffic across the campus network may be surreptitiously monitored, rendering these authentication mechanisms vulnerable to compromise. Therefore, all campus devices must use only encrypted authentication mechanisms....

In particular, historically insecure services such as Telnet, FTP, SNMP, POP, and IMAP must be replaced by their encrypted equivalents.

In the 1990s, and early in this decade, most passwords were sent over the campus network with no encryption at all. Telnet (used for Unix shell access to machines like socrates), FTP (used for transferring files), and POP (used by Eudora) transferred the password in such a way that an interloper who has broken into our network could capture the password, and thereby capture the account of the person using the password. That account could then be used to attack other machines, and to hide the identity of the perpetrator.

Fortunately, there are secure alternatives for all these insecure protocols. SSH can replace both telnet and FTP, and many other client programs which need to transfer files (such as Dreamweaver) have built-in SFTP (secure FTP) support. Recent versions of Eudora also support secure connections for sending and receiving mail, as do all versions of the Thunderbird email client.

The implementing guidelines portion of the minimum standards policy contains information on how to connect without exposing your password to the nefarious.

By using secure authentication, you will be protecting yourself as well as everyone else on the network. You will have to make some small changes at first, but in the long run you can follow policy, be a good network citizen, and still get all your work done.