Re: [SECURITY] [DSA 1571-1] vulnerability of past SSH/SSL sessions

To: Micah Anderson <micah@riseup.net>
Cc: Simon Valiquette <v.simon@ieee.org>, debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 1571-1] vulnerability of past SSH/SSL sessions
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Wed, 14 May 2008 21:54:09 -0300
Message-id: <[🔎] 20080515005409.GB3415@khazad-dum.debian.net>
In-reply-to: <[🔎] 20080515005033.GB14824@pond>
References: <87od7az9v4.fsf@mid.deneb.enyo.de> <[🔎] 482B7759.5000201@ieee.org> <[🔎] 20080515005033.GB14824@pond>

On Wed, 14 May 2008, Micah Anderson wrote:
> authenticity of the server. In other words, ssh sessions are not
> compromised just because an adversary has the host keys (unless a MITM
> is setup, in which case you need bot the host key and the authentication
> key to perform a mitm attack).

Ok.  But I do have one doubt: does the RNG bug affect SSH session IV
generation?

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to:

References:
- Re: [SECURITY] [DSA 1571-1] vulnerability of past SSH/SSL sessions
  - From: Simon Valiquette <v.simon@ieee.org>
- Re: [SECURITY] [DSA 1571-1] vulnerability of past SSH/SSL sessions
  - From: Micah Anderson <micah@riseup.net>

Prev by Date: Re: DSA/DSS keys and DSA 1576-1/CVE-2008-0166.
Next by Date: Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
Previous by thread: Re: [SECURITY] [DSA 1571-1] vulnerability of past SSH/SSL sessions
Next by thread: Re: [SECURITY] [DSA 1571-1] vulnerability of past SSH/SSL sessions
Index(es):
- Date
- Thread