SSH Vulnerability and the Future of SSL

iamchris writes "Growing complacent in regards to security is dangerous. I've become more and more dependant on the SSL-type tools for my security... ssh itself, ssl for my web content, scp, sftp, etc... We all know nothing is 100% secure (or if you don't, God help you). An article on Security Focus cites a vulnerability with SSH and passwords. We usually type them in letter-by-letter. A lot of information can be gleaned from the timing of the keystrokes and some (relatively simple) packet decoding. Is there a better alternative to SSL based tools (Perhaps TLS)? Is there anything that can be done with the clients help with the small packet issue?"

The best bet for security has always been...

[kypper]

to unplug the network connection.

We all know nothing is 100% secure (or if you don't, God help you).

We hacked him yesterday ;o)

More to worry about if you're paranoid.

[Pinball+Wizard]

A lot of information can be gleaned from the timing of the keystrokes and some (relatively simple) packet decoding.

Well, if you use RSA you don't need to type a password so that would solve that particular problem. But if you really want to be paranoid about it, the technology exists to capture your keystrokes. I believe it works by detecting the charge released from depressing each keystroke(the keyboard uses capacitance to send specific characters if I'm not mistaken). So you really need to work behind lead walls or something else that will block that signal from being transmitted.

Again, using RSA would prevent the password from being transmitted. But they could just keep listening, and gather sensitive data as you type away.