Hi, Quoting Dale Amon (amon@xxxxxxx): > There appears to be an exploitable weakness in ssh > right now. Characters are transmitted as fast as > typed; interpacket timings carry probabilistic data > on which character pairs were typed. iirc there actually are two vulnerabilities; the ability to make statistically supported guesses about password length, and guesses about password _content_; both in the initial ssh password exchange, and in password exchanges in _new_ ssh sessions from an existing ssh session. > If anyone knows the guys working on ssh, make sure > they are aware of this. I tried getting email through > the web site but there was no good address there and > I have not gotten a reply. They are aware of it, and there are patches. I don't recall which versions actually have these patches, or where they can be found. Just FYI. Greets, Robert -- Linux Generation encrypted mail preferred. finger rvdm@xxxxxxxxxx for my GnuPG/PGP key. Fighting for peace is like screwing for virginity. Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
