Re: FAQ section 1.12

[Noel L Yap]

Can you point me to a site describing the structural weaknesses of SSH1?

Thanks,
Noel




[EMAIL PROTECTED] on 06/13/2000 09:45:56 PM

To:   [EMAIL PROTECTED]
cc:   (bcc: Noel L Yap)
Subject:  Re: FAQ section 1.12




begin Atro Tossavainen quotation:

> I guess the working assumption from Tatu and the rest of the SSH folks
> was that everyone would be moving to SSH2 and backward compatibility
> would not be an issue.

Tatu and co., by dint of hard work, have made some very compelling
arguments for that migration.  However, this matrix of available
software (from diverse authors, not just SSH Communications Security,
Ltd. and F-Secure Corporation) will perhaps partially explain
protocol 1.5's persistence:

Highest protocol version supported in software that is:
              Straight      Gratis-Usage for  Unconditional
              Proprietary   Non-Commercial    Gratis-usage   Open-source [1]
              -----------   --------------    ------------   -----------
Clients
=======
Amiga OS         1.5             1.5               none         none
BeOS              -              1.5               none         none
Java              -               -                none         1.5 [2]
Macintosh OS     2.0              -                1.5          none
OpenVMS           -               -                 -           1.5
OS/2             2.0             1.5               none         none
PalmOS            -               -                1.5          none
Unix             2.0             2.0                -           2.0
Win16            2.0             1.4               none         none
Win32            2.0             2.0               1.5          2.0
WinCE            1.5             none               -           none

Servers
=======
OpenVMS           -               -                 -           1.5
OS/2              -              1.5               none         none
Unix             2.0             2.0               none         2.0
Win32             -              2.0               none         2.0

The constituent packages are detailed in my list at
http://linuxmafia.com/pub/linux/security/ssh-clients .  (Hey, I had a
few minutes to kill, so I thought I'd summarise my list in tabular
form.)

> More bugs have been found and corrected than in ssh2 so far, of course.

And there are known structural weaknesses in the 1.x protocols.

[1] As is defined by the Open Source Initiative at
http://www.opensource.org/osd.html .  The three columns leftwards are
breakdowns of all non-open-source categories, i.e., different classes of
proprietary licences.

[1] Mats Andersson says MindTerm will soon support secsh 2.0.

--
Cheers,                        "Censeo Toto nos in Kansa esse decisse."
Rick Moen                                                  -- D. Gale
rick (at) linuxmafia.com





This communication is for informational purposes only.  It is not intended as
an offer or solicitation for the purchase or sale of any financial instrument
or as an official confirmation of any transaction. All market prices, data
and other information are not warranted as to completeness or accuracy and
are subject to change without notice. Any comments or statements made herein
do not necessarily reflect those of J.P. Morgan & Co. Incorporated, its
subsidiaries and affiliates.