Home page logo

basics logo Security Basics mailing list archives

Re: Which one have more vulnerability history, SSH or OpenSSH ?
From: Byron Sonne <blsonne () rogers com>
Date: Mon, 15 Mar 2004 13:50:08 -0500

I would like to use openssh over commercial ssh. Which
one has more security problems in the past? Some in my
IT department claim that openssh is more unsecure bcoz
it had more problems? Is it true? Or is it something
in the long past.

This is not as simple a question as it might appear.

My personal estimate would be that yes, OpenSSH probably has more of a history of vulnerabilities being made public. But that's just a guess. More people use OpenSSH so it is a more prevalent target. It's also a more attractive target; if you're a cracker you'll probably get more kudos from your buddies.

But then we have to give thought to what version numbers? If you're running anything that's out of date you're opening yourself to problems. And what flavour of OpenSSH, portable? If so, check this blurb from the http://www.openssh.org/ website

"Managing the distribution of OpenSSH is split into two teams. One team does strictly OpenBSD-based development, aiming to produce code that is as clean, simple, and secure as possible. We believe that simplicity without the portability "goop" allows for better code quality control and easier review. The other team then takes the clean version and makes it portable, by adding the portability "goop" so that it will run on many operating systems (these are known as the p releases, and named like "OpenSSH 3.8p1"). Please click on the provided link for your operating system."

So one could reasonably anticipate that by adding the "portability goop" you're going to open up a much, much wider field for vulnerabilities.

Also, was it built from source or installed as precompiled binaries? How was it configured? All valuable questions. And some of the vulnerabilities are not in OpenSSH but rather in libraries that it depends on, such as SSL type stuff.

I personally would still stick with OpenSSH for the foreseeable future. They tend to fix problems pretty quickly. Since it is open I feel very positive about their ability to adapt to user needs and concerns.


For Good, return Good. For Evil, return Justice.

Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]