[31666] in North American Network Operators' Group
RE: RSA Patent Expired
daemon@ATHENA.MIT.EDU (Joe Shaw)
Thu Oct 5 11:43:42 2000
Date: Thu, 5 Oct 2000 10:41:11 -0500 (CDT)
From: Joe Shaw <jshaw@insync.net>
To: "Richard A. Steenbergen" <ras@e-gerbil.net>
Cc: Richard Welty <rwelty@vpnet.com>,
Bill Fumerola <billf@chimesnet.com>,
Hendrik Visage <hvisage@is.co.za>,
Bradly Walters <bwalters@inet-direct.com>, nanog@merit.edu
In-Reply-To: <Pine.BSF.4.21.0010041939571.373-100000@overlord.e-gerbil.net>
Message-ID: <Pine.GSO.4.21.0010051032310.12563-100000@vellocet.insync.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, 4 Oct 2000, Richard A. Steenbergen wrote:
> > except that nobody should be using ssh1 for _anything_ if they can
> > possibly avoid it. even the orginal authors of ssh are strongly
> > advocating
> > consigning ssh1 to the trash heap of computer security.
>
> I think you're confused, ssh1 is still a very valid protocol. It is well
> tested and proven, and in many cases better implemented then ssh2 (though
> of course that may change eventually). Don't confuse the desire to make
> money with insecurity.
No, he's not confused. Supposedly, using any algorithm other than 3DES
with SSH1 can set you up for some type of stream insertion attack. I've
never seen it personally, but supposedly the threat does exist.
Furthermore, OpenSSH supports ssh2 and is free, in both the free beer and
the free speech way. The BSD license is cool like that.
--
Joseph W. Shaw - jshaw@insync.net
Computer Security Consultant and Programmer
Free UNIX advocate and all around nice guy.
