Slashdot Mirror

← Back to Stories (view on slashdot.org)

SSH Taking Stand On Vulnerability

Posted by Hemos on from the spinning-the-press dept.

jeffy124 writes "SSH Communications is recognizing the vulnerability claim made by UC Berkeley researchers earlier this week. They say it is not a practical threat to the ssh protocol, people can still remain confident in keeping communications over ssh private. While this is true IMO, they are open to and will be researching techniques that would make the standard stronger, along with hopes of lessening this vulnerability."

2 of 90 comments (clear)

  1. OpenSSh - no problem by cehf2 · · Score: 3, Interesting

    It appears, using openssh 2.9p2 (that currently in debian/unstable) that it sends the entire password in one TCP packet, so no problem there then.

  2. Mostly Nonsense by fanatic · · Score: 3, Interesting

    I tested in openSSH2.5.1p2 - the login password is sent in one packet, so the inter-key timing attack is crap for this.

    The interkey timing applies ONLY AFTER the initial login. The cracker would have to have to somehow know you were exceuting something that involved entering a password, then capture the packets with your keystrokes.

    This is getting way more play than it deserves, IMO.

    --
    "that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody