this post was submitted on 20 Dec 2023
94 points (75.5% liked)

Technology

62174 readers
4321 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s
enu
technopagan
L4s
94
SSH protects the world’s most sensitive networks. It just got a lot weaker (arstechnica.com)
submitted 1 year ago by eager_eagle to c/technology
26 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 152 points 1 year ago (13 children)

Bit of an alarmist headline here. The vulnerability has been patched in the most common clients (openssh) and it was because the protocol wasn't being implemented correctly. To say that the SSH protocol "just got a lot weaker" is just not true.

[–] eager_eagle 16 points 1 year ago* (last edited 1 year ago) (11 children)

It doesn't look that simple to me. From the Terrapin paper:

Although we suggest backward-compatible countermea- sures to stop our attacks, we note that the security of the SSH protocol would benefit from a redesign from scratch. This redesign should be guided by all findings and insights from both practical and theoretical security analysis, in a similar manner as was done for TLS 1.3.

It seems the protocol itself needs a revision and implementation-specific patches are easier and less-than-ideal solutions.

One could argue that even these solutions they provide are already changes to the protocol, and not just fixes to implementation bugs. Both the Sequence Number Reset and Full Transcript Hash add or change functionality at the communication protocol level, rather than simply covering corner cases.

[–] qx128 22 points 1 year ago (1 children)

Yeaaaa, a complete redesign from scratch sounds way more dangerous. “Noah, get the boat” isn’t always the best answer. There’s been a lot of thought and testing put into the magnificent work that is SSH over the past few decades.

[–] eager_eagle 1 points 1 year ago* (last edited 1 year ago)

I won't pretend I know better than the paper authors, what I can say is that some fixes are not incremental.

There are cases that mature tools and protocols should be left behind, and the danger lies exactly in using a protocol that was designed in the web 1.0 era.

load more comments (9 replies)
load more comments (10 replies)