Slashdot Mirror

← Back to Stories (view on slashdot.org)

Flaw Made Public In OpenSSH Encryption

Posted by timothy on from the days-to-whom dept.

alimo20 writes "Researchers at the Royal Holloway, University of London have discovered a flaw in Version 4.7 of OpenSSH on Debian/GNU Linux. According to ISG lead professor Kenny Patterson, an attacker has a 2^{-18} (that is, one in 262,144) chance of success. Patterson tells that this is more significant than past discoveries because 'This is a design flaw in OpenSSH. The other vulnerabilities have been more about coding errors.' The vulnerability is possible by a man-in-the-middle intercepting blocks of encrypted material as it passes. The attacker then re-transmits the data back to the server and counts the number of bytes before the server to throws error messages and disconnects the attacker. Using this information, the attacker can work backwards to figure out the first 4 bytes of data before encryption. 'The attack relies on flaws in the RFC (Request for Comments) internet standards that define SSH, said Patterson. ... Patterson said that he did not believe this flaw had been exploited in the wild, and that to deduce a message of appreciable length could take days.'"

4 of 231 comments (clear)

  1. Re:im by Anonymous Coward · · Score: -1, Offtopic

    The bitches own it now. The religious snatches and other shills whote with safe, pithy posts devoid of all risk and individuality. It's no coincidence that certain readers submit 80% of the articles and the highest-scoring of the first few posts.

    Occasionally some Slashdot readers earnestly earn excellent karma but are able to form enough of their own opinion to post controversial and dangerous words which make the bitchboys uncomfortable. The pussilanimous maintain a shitlist with those whose views run counter to their own or whose words encourage uncomfortable but rational discussion.

    The bitchboys, armed with karma from years of whoring as well as strength in numbers forged by religious groupthink, whine and complain to slashdot admins until the admins have little choice but to "cheat" -- that is, to censure the deviants and malcontents who dare express opinions which run counter to the status quo.

    The bitchboys rule slashdot. Enjoy your safe, sterile conversation kids!

  2. I'd just like to interject for a moment. by Clockwurk · · Score: -1, Offtopic

    What you're referring to as Linux, is in fact, GNU/Linux, or as I've recently taken to calling it, GNU plus Linux. Linux is not an operating system unto itself, but rather another free component of a fully functioning GNU system made useful by the GNU corelibs, shell utilities and vital system components comprising a full OS as defined by POSIX.

    Many computer users run a modified version of the GNU system every day, without realizing it. Through a peculiar turn of events, the version of GNU which is widely used today is often called "Linux", and many of its users are not aware that it is basically the GNU system, developed by the GNU Project.

    There really is a Linux, and these people are using it, but it is just a part of the system they use. Linux is the kernel: the program in the system that allocates the machine's resources to the other programs that you run. The kernel is an essential part of an operating system, but useless by itself; it can only function in the context of a complete operating system. Linux is normally used in combination with the GNU operating system: the whole system is basically GNU with Linux added, or GNU/Linux. All the so-called "Linux" distributions are really distributions of GNU/Linux.

  3. YOU FAILs IT?! by Anonymous Coward · · Score: -1, Offtopic

    abo0t a project posts on Usenet are

  4. Re:Old version = old news by Tanktalus · · Score: -1, Offtopic

    Do you go around on IRC as Cthon98? Just wonderin'.