mailing list archives
RE: RSA Patent Expired
From: "Richard A. Steenbergen" <ras () e-gerbil net>
Date: Wed, 4 Oct 2000 20:18:17 -0400 (EDT)
On Wed, 4 Oct 2000, Enkhyl wrote:
On Wed, 4 Oct 2000, Richard A. Steenbergen wrote:
On Tue, 3 Oct 2000, Richard Welty wrote:
Bill Fumerola [mailto:billf () chimesnet com] wrote:
OpenSSH uses RSA for ssh1, so it too benefited greatly
from RSA's release of the code into the public domain.
except that nobody should be using ssh1 for _anything_ if they can
possibly avoid it. even the orginal authors of ssh are strongly
consigning ssh1 to the trash heap of computer security.
I think you're confused, ssh1 is still a very valid protocol. It is well
tested and proven, and in many cases better implemented then ssh2 (though
of course that may change eventually). Don't confuse the desire to make
money with insecurity.
There are known holes in the SSH1 protocol, which is why it is recommended
that the SSH2 protocol be used.
The vulnerability is non-trivial to exploit, but it is a flaw. See the
reference in the above link.
Hence the addition of a strong MAC in ssh2. This is a pretty difficult
attack to pull off, but I'll agree its handled better in ssh2.
Richard A Steenbergen <ras () e-gerbil net> http://www.e-gerbil.net/humble
PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)