Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: RSA Patent Expired

  • From: Richard A. Steenbergen
  • Date: Wed Oct 04 20:21:03 2000

On Wed, 4 Oct 2000, Enkhyl wrote:

> On Wed, 4 Oct 2000, Richard A. Steenbergen wrote:
> 
> > On Tue, 3 Oct 2000, Richard Welty wrote:
> > 
> > > Bill Fumerola [mailto:billf@chimesnet.com] wrote:
> > > > OpenSSH uses RSA for ssh1, so it too benefited greatly
> > > > from RSA's release of the code into the public domain.
> > >
> > > except that nobody should be using ssh1 for _anything_ if they can
> > > possibly avoid it. even the orginal authors of ssh are strongly
> > > advocating
> > > consigning ssh1 to the trash heap of computer security.
> > 
> > I think you're confused, ssh1 is still a very valid protocol. It is well
> > tested and proven, and in many cases better implemented then ssh2 (though 
> > of course that may change eventually). Don't confuse the desire to make
> > money with insecurity.
> 
> There are known holes in the SSH1 protocol, which is why it is recommended
> that the SSH2 protocol be used.
> 
> http://www.securityportal.com/list-archive/bugtraq/1999/Dec/0195.html
> 
> The vulnerability is non-trivial to exploit, but it is a flaw. See the
> reference in the above link.

Hence the addition of a strong MAC in ssh2. This is a pretty difficult
attack to pull off, but I'll agree its handled better in ssh2.

-- 
Richard A Steenbergen <ras@e-gerbil.net>   http://www.e-gerbil.net/humble
PGP Key ID: 0x138EA177  (67 29 D7 BC E8 18 3E DA  B2 46 B3 D8 14 36 FE B6)






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.