Secure Chat with YTalk and SSH
Subject:   Don't quit your day job
Date:   2003-02-15 20:24:02
From:   anonymous2
I can't believe this article passed and made it to publication.

The title says "Secure Chat ....".

This is NOT SECURE !

You're (using ssh) securing a connection from point A (your desktop) to point B (an arbitary server).

Good, anything that goes back and forth between the server and you is encrypted.

Then you run ychat and invite someone else on the same server B to join you. Have they also used ssh to connect to server B ? Are they local on the box ? did they telnet in ? Unless their connection is also secure, the whole privacy thing is blown out of the water. Remember, all chat participants will receive all other participant's messages, and security is as strong as it's weakest link.

But wait, what is this ? You have ychat run by person X connecting to another instance of ychat (or talk, or whatever) run by person Y. But how do the 2 ytalk's talk together ?

Think about it for a second, then run this command on machine B:
tcpdump -X port ntalk

And presto.. There's your cleartext conversation being sniffed as easy as pie.

The *only* way to secure such a chat via ssh is via ssh's tunneling and port-forwarding, which was not mentioned in this article.

- Mina