On Fri, Mar 03, 2000 at 05:04:42AM +0200, Tatu Ylonen wrote:
> Please remember that you need an RSA patent license to use SSH1, but
> not for SSH2.
Please remember also, that the RSA patent will expire in about half
a year on September 20th.
> OpenSSH is based on my version from back in 1995 or 1996. The OpenSSH
> folks have fixed many of the (security) bugs in that version, but not
> all of them when I last checked. Some of the problems in SSH1 are
> very fundamental.
Could you please be more specific? Are you refering to implementation
or to protocol bugs? Are there any defects in the protocol apart from
the usage of CRC for authentication and the lack of authentication
for the data exchanged before encryption is turned on?
> I do not recommend use of OpenSSH (or SSH1 generally, for that matter).
So what's wrong with SSH1?
Thanks,
-markus
