Subject: Re: Newbie pkgsrc PATH Related Question
To: None <>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: port-sparc
Date: 07/29/2004 16:04:01
>> I'm not sure how much the older protocol impacts security, but it's
>> got to better than using telnet ...
> I thought the general concensus was that it's better, but not much.

Depending on your threat model, it can be anywhere from worse (because
of the false sense of security) to a great deal better.

It also depends on which implementation of v1 you use.  Some of them
have gross bugs like buffer overflows; others have no known weaknesses
beyond crypto-level attacks against the protocol (for values of "known"
that equal "I've heard of", at least).

The major vulnerability I have heard of in v1 (as opposed to
vulnerabilities in particular implementations of v1) is a MitM attack
on host keys, and that (a) depends on humans being stupid and (b)
applies equally well to v2.  (It's more of a practical risk for v1,
because tools to attack it on v1 are known to be widely distributed,
but not for v2.  But it's just as much a protocol vulnerability.)

If anyone knows of any attacks on v1 that don't fit the above
descriptions, I would really like to hear about them.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B