[31655] in North American Network Operators' Group
RE: RSA Patent Expired
daemon@ATHENA.MIT.EDU (Enkhyl)
Wed Oct 4 20:04:00 2000
Date: Wed, 4 Oct 2000 17:02:03 -0700 (PDT)
From: Enkhyl <enkhyl@pobox.com>
Reply-To: enkhyl@pobox.com
To: "Richard A. Steenbergen" <ras@e-gerbil.net>
Cc: Richard Welty <rwelty@vpnet.com>,
Bill Fumerola <billf@chimesnet.com>,
Hendrik Visage <hvisage@is.co.za>,
Bradly Walters <bwalters@inet-direct.com>, nanog@merit.edu
In-Reply-To: <Pine.BSF.4.21.0010041939571.373-100000@overlord.e-gerbil.net>
Message-ID: <Pine.BSF.4.21.0010041648490.224-100000@cassandra.foobarbaz.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, 4 Oct 2000, Richard A. Steenbergen wrote:
> On Tue, 3 Oct 2000, Richard Welty wrote:
>
> > Bill Fumerola [mailto:billf@chimesnet.com] wrote:
> > > OpenSSH uses RSA for ssh1, so it too benefited greatly
> > > from RSA's release of the code into the public domain.
> >
> > except that nobody should be using ssh1 for _anything_ if they can
> > possibly avoid it. even the orginal authors of ssh are strongly
> > advocating
> > consigning ssh1 to the trash heap of computer security.
>
> I think you're confused, ssh1 is still a very valid protocol. It is well
> tested and proven, and in many cases better implemented then ssh2 (though
> of course that may change eventually). Don't confuse the desire to make
> money with insecurity.
There are known holes in the SSH1 protocol, which is why it is recommended
that the SSH2 protocol be used.
http://www.securityportal.com/list-archive/bugtraq/1999/Dec/0195.html
The vulnerability is non-trivial to exploit, but it is a flaw. See the
reference in the above link.
--
Christopher Nielsen
(enkhyl|cnielsen)@pobox.com
"Not only is UNIX dead, it's starting to smell really bad." --rob pike
