Subject: Re: Newbie pkgsrc PATH Related Question
To: None <port-sparc@NetBSD.org>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
Date: 07/29/2004 16:04:01
>> I'm not sure how much the older protocol impacts security, but it's
>> got to better than using telnet ...
> I thought the general concensus was that it's better, but not much.
Depending on your threat model, it can be anywhere from worse (because
of the false sense of security) to a great deal better.
It also depends on which implementation of v1 you use. Some of them
have gross bugs like buffer overflows; others have no known weaknesses
beyond crypto-level attacks against the protocol (for values of "known"
that equal "I've heard of", at least).
The major vulnerability I have heard of in v1 (as opposed to
vulnerabilities in particular implementations of v1) is a MitM attack
on host keys, and that (a) depends on humans being stupid and (b)
applies equally well to v2. (It's more of a practical risk for v1,
because tools to attack it on v1 are known to be widely distributed,
but not for v2. But it's just as much a protocol vulnerability.)
If anyone knows of any attacks on v1 that don't fit the above
descriptions, I would really like to hear about them.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML email@example.com
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B