back to article OpenSSH chink bares encrypted data packets

Cryptographers are urging users of a widely employed network protocol to make sure they're running the latest version after discovering a flaw that could allow attackers to read data that's supposed to remain encrypted. All programs that incorporate the OpenSSH implementation of SSH, short for Secure Shell, should make sure …

COMMENTS

This topic is closed for new posts.
  1. Tam Lin

    Devastating misleading article

    Late 90's? OpenSSH was released December 1, 1999, but the first real release featuring substantial OpenSSH-project written code, including support for protocol version 2 was released June 15, 2000. Also, the theoretical vulnerability you mentioned was protocol-based, not limited to OpenSSH. And what is the non sequitur about OpenSSL doing there? You missed some other completely unrelated look-alikes, such as OpenSS and OpenSSO.

    Axe to grind or lazy?

  2. Anonymous Coward
    Anonymous Coward

    Just a reminder..

    That the OpenSSH dev's were not responsible for the flaw introduced by the modifications made by the Debian team.

  3. Anonymous Coward
    Anonymous Coward

    Sources?

    What are the sources for this article? Is it, perhaps, this case from November?

    http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt

  4. Kenny Paterson

    Re: Sources?

    Yes, it's the case from November. The technical paper describing the research was published this week at the IEEE Symposium on Security and Privacy. The paper is now online here:

    http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf

    Cheers,

    Kenny

  5. Nate Lawson

    Late 90's SSH flaw

    Hi, I was referring to this attack by CORE in 1998, which allows insertion of data into a session:

    http://www.coresecurity.com/content/An-attack-on-CRC-32-integrity

    The article isn't clear that this wasn't OpenSSH flaw per se, although it certainly was based on the SSH code that later became OpenSSH. It was a flaw in the SSH protocol version 1 itself, not a particular implementation.

    Since the attack Albrecht et al are discussing is a protocol problem, it is fair to compare it to other protocol problems SSH has had in the past. It's good they found this problem, and it's good to see the SSH protocol is getting more secure over time.

    -- Nate

This topic is closed for new posts.

Other stories you might like