On Aug 13, 2009, at 9:13 AM, Devon H. O'Dell wrote:
If I"m recalling correctly, SSHv1 is insecure only if the remote
server is
untrusted. Or am I not recalling correctly?
I believe you're correct and that server fingerprinting was introduced
in v2. I asked some friends of mine about it and they said the
principal issue is that it uses CRC for the packet checksum, which
makes it not particularly hard for a third party to inject packets
into your connection. Also, there are theoretical attacks that allow
the session key to be recovered. One of my friends also said it only
supported 3DES, but I'm not convinced that's a cryptological weakness
in and of itself, nor that designing a new protocol with plug 'n play
crypto is genius either, since I think a lot of the complexity in SSH
v2 comes from its configurability, the effect that has on connection
setup, as well as silly optional features like connection sharing and
whatnot. (I use that silly feature all the time but I don't think I
would have offered to build it into the protocol.)
—
Daniel Lyons
