Hi all! I was wondering how bad this actually is and it looks extremely horrible. In practice, all data transmitter over the wire for the last two years and be snooped upon (if someone has captured it - and the paranoid must assume someone has).
Trusting on the security of ssh, we have, for example, used ssh to transmit data from server to server, including such sensitive information as Heimdal database master key... Am I correct in assuming this key has been compromised? And along with it all the Heimdal passwords... However, ever since we started using Heimdal, we have used GSSAPI authentication by default, which, to my understanding, does not rely on SSH host or user keys, but bases all its crypto on Kerberos. Does this mean data transmitted over GSSAPI-authenticated links is still secure? (Not that it matters much - there is no way of making sure the default (GSSAPI) was *always* used when transmitting sensitive data. By the way, if (since?) all the data ever transmitted over any ssh link secured by a weak key is compromised, it means that every single GPG passphrase (or any other password) ever transmitted over any of these links is also compromised. Just count how many times you've used GPG over one of the weak links... Cheers (looks like a cheerful weekend to come indeed)... Juha -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]