Slashdot Mirror

← Back to Stories (view on slashdot.org)

Flaw Made Public In OpenSSH Encryption

Posted by timothy on from the days-to-whom dept.

alimo20 writes "Researchers at the Royal Holloway, University of London have discovered a flaw in Version 4.7 of OpenSSH on Debian/GNU Linux. According to ISG lead professor Kenny Patterson, an attacker has a 2^{-18} (that is, one in 262,144) chance of success. Patterson tells that this is more significant than past discoveries because 'This is a design flaw in OpenSSH. The other vulnerabilities have been more about coding errors.' The vulnerability is possible by a man-in-the-middle intercepting blocks of encrypted material as it passes. The attacker then re-transmits the data back to the server and counts the number of bytes before the server to throws error messages and disconnects the attacker. Using this information, the attacker can work backwards to figure out the first 4 bytes of data before encryption. 'The attack relies on flaws in the RFC (Request for Comments) internet standards that define SSH, said Patterson. ... Patterson said that he did not believe this flaw had been exploited in the wild, and that to deduce a message of appreciable length could take days.'"

2 of 231 comments (clear)

  1. -1 WRONG by SanityInAnarchy · · Score: 0, Troll

    You've got to be fucking kidding me.

    From the summary:

    Researchers at the Royal Holloway, University of London have discovered a flaw in Version 4.7 of OpenSSH on Debian/GNU Linux.

    I think that's an adequate description. It is the combination of Debian, and GNU, an Linux, and many other things. Try copy/paste trolling something relevant.

    And of course, calling it a GNU system is unbelievably arrogant. Why should it be called GNU/Linux, and not Debian/GNU/X.org/Apache/BSD/Linux? Recall that the software in question is OpenSSH, a project from the BSD world, and most definitely not a GNU project.

    Oh, by the way, the GNU system is useless without a kernel. However, a kernel can actually be useful without running any userspace software at all -- for instance, take Coreboot, formerly LinuxBIOS, which if I recall, ran entirely in kernel-space. It's also possible to make a Linux distribution that does not include GNU -- for instance, use a non-GNU libc, and Busybox, and you have a useful (if minimal) Linux operating system without GNU.

    Here's a suggestion: Drop this pointless, semantic bickering, and talk about something that matters, that actually has an impact on the realities and future of Free Software. Something like DRM, or Verified Voting, or open document standards, or Web standards, or better technology -- why are people still writing so much stuff (unnecessarily) in C? -- or free software in government, or network neutrality, or the need for marketing and business people in free software.

    Because right now, it just looks embarrassing. Look at the Ubuntu homepage -- it doesn't even describe itself as Ubuntu Linux. It's just Ubuntu, and if you look at the details, you may find that it's a "Linux-based operating system". And notice the complete lack of complaints from anyone in the "Linux" community? It's only a few GNU people like you who are still bitter about the fact that Linus did in a few months what GNU took years to not do -- build a working kernel.

    --
    Don't thank God, thank a doctor!
  2. Re:To those wondering why they mention Debian by Anonymous Coward · · Score: 0, Troll

    Still, it is another clear indication that Linux security is not all it is made out to be. For example OS X has a better security track record than any other operating system in the world, particularly Linux.