Re: Safe to use Mindterm?
> Anne Carasik <gator@cacr.caltech.edu> wrote on 13/05/2002 (17:55) :
> > Security issues? Can you be more specific?
> >
> > There aren't any security issues (yet) with the SSH 2.0 protocol.
> >
> > From what I know, there aren't any issues using mindterm for 2.0
> > either :)
> >
>
> But the Mindterm package in Debian does not support SSH 2.0, this is the
> point. It supports 1.x only.
SSH 1 has two major kinds of security vulns:
1) Bugs in the server daemon. ... These have been mostly resolved and
don't really concern the client user
2) Bugs in the design of the protocol. Because ssh1 allows you to deduce
how many (unencrypted) bytes of data you are sending in each packet, there
are a host of things that make it easier to crack passwords. Additionally,
if you use the RC4 cipher, it is trivial to crack one's password. Some
interesting articles on this are:
http://216.239.35.100/search?q=cache:O38kBECQ9KsC:paris.cs.berkeley.edu/~dawnsong/papers/ssh-timing.pdf+ssh+vulnerabilities+1+byte+password+crack&hl=en
http://216.239.33.100/search?q=cache:n9qPBRuFs2YC:xforce.iss.net/static/6449.php+ssh+rc4&hl=en
However, I think another problem you will have is that the newer ssh2
daemons don't run in ssh1 mode (for security reasons), so you won't even
be able to connect to them.
-rishi
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: