Subject: Re: FreSSH
To: None <current-users@netbsd.org>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: current-users
Date: 03/09/2002 18:16:21
On Sat, Mar 09, 2002 at 12:24:34PM -0600, Eric Haszlakiewicz wrote:
> On Fri, Mar 08, 2002 at 10:37:20PM -0500, Michael G. Schabert wrote:
> > At 2:00 PM -0500 3/8/02, Thor Lancelot Simon wrote:
> > >Unfortunately, we all got awfully busy, so the FreSSH team isn't in much
> > >of a position to talk.  It doesn't help that none of us really like the
> > >baroque V2 protocol very much
> > 
> > But if you refuse to embrace v2, have you eliminated the MANY known 
> > security problems with v1? If not, then without v2 support OpenSSH is 
> > still far safer, IMHO.
> 	We're not refusing to include v2, we just think that there are better
> ways to do it.  However, that doesn't mean v1 is the better way.  One of the
> things we've tossed around is the idea of replacing the ssh v2 transport
> layer with tls/ssl, leaving the v2 authentication and connection layers as is,
> which would definitely be an improvement.

One other thing that's noteworthy is that due to the design of the v2
transport layer (and many other cryptographic transports, unfortunately) 
it's vulnerable to a well-known attack on CBC mode -- yet no ciphers
using other modes are currently in the drafts.

It's reasonable to anticipate that, just as we extended the v1 protocol
(by adding new ciphers with saner behaviour) to address the problems of
using a CRC instead of a cryptographic checksum, using an incorrect version
of Blowfish, and other minor things, we'll have our shot at some of what we
perceive as the current v2 issues.  But, of course, we have to get off our
rear ends and do _anything_ with FreSSH, which we haven't in several months.

-- 
 Thor Lancelot Simon	                                      tls@rek.tjls.com
   But as he knew no bad language, he had called him all the names of common
 objects that he could think of, and had screamed: "You lamp!  You towel!  You
 plate!" and so on.              --Sigmund Freud