undefined | Better HN

0 pointsteddyh2y ago0 comments

Because port knocking is fundamentally a stupid idea: <https://news.ycombinator.com/item?id=39898061>

0 comments

Two of your three points don't apply to Moxie's and some other implementations, for example Singe Packet Authentication. You can have sufficient bits, and it doesn't have to be cleartext. Maybe it's technically not port knocking anymore, but it's the same idea.

And it's not about adding more bits to your authentication, it's about vulnerabilities that can be exploited without authentication, like the recent xz backdoor debacle. Port knocking would defend against that, longer keys would not.

This has all been pointed out to you in the thread you linked.

teddyhOP2y ago

> Maybe it's technically not port knocking anymore, but it's the same idea.

At that point, it’s equivalent to a point-to-point VPN, which is the same as IPSec transport mode. Which is what you ought to be using instead of port knocking, if your threat model includes 0-day vulnerabilities in public-facing services like SSH.

j / k navigate · click thread line to collapse

0 comments

mr_mitm2y ago

This has all been pointed out to you in the thread you linked.

teddyhOP2y ago

> Maybe it's technically not port knocking anymore, but it's the same idea.

j / k navigate · click thread line to collapse