|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: RSA Patent Expired
On Wed, 4 Oct 2000, Enkhyl wrote: > On Wed, 4 Oct 2000, Richard A. Steenbergen wrote: > > > On Tue, 3 Oct 2000, Richard Welty wrote: > > > > > Bill Fumerola [mailto:[email protected]] wrote: > > > > OpenSSH uses RSA for ssh1, so it too benefited greatly > > > > from RSA's release of the code into the public domain. > > > > > > except that nobody should be using ssh1 for _anything_ if they can > > > possibly avoid it. even the orginal authors of ssh are strongly > > > advocating > > > consigning ssh1 to the trash heap of computer security. > > > > I think you're confused, ssh1 is still a very valid protocol. It is well > > tested and proven, and in many cases better implemented then ssh2 (though > > of course that may change eventually). Don't confuse the desire to make > > money with insecurity. > > There are known holes in the SSH1 protocol, which is why it is recommended > that the SSH2 protocol be used. > > http://www.securityportal.com/list-archive/bugtraq/1999/Dec/0195.html > > The vulnerability is non-trivial to exploit, but it is a flaw. See the > reference in the above link. Hence the addition of a strong MAC in ssh2. This is a pretty difficult attack to pull off, but I'll agree its handled better in ssh2. -- Richard A Steenbergen <[email protected]> http://www.e-gerbil.net/humble PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
|