- cross-posted to:
- technology@lemmy.world
- cross-posted to:
- technology@lemmy.world
You must log in or register to comment.
Since he doesn’t mention it in his ‘fantastic’ reporting, OpenSSH 9.6 was released Monday that will patch this attack. Also, since he doesn’t mention it, if on the Internet, the MITM would have to be installed at both end points (client side and server side) to be effective without the patch.
Since he doesn’t mention it in his ‘fantastic’ reporting, OpenSSH 9.6 was released Monday that will patch this attack.
I am tempted to delete this post just for the article’s stupid clickbait headline, but it still will probably cause some people to go update their OpenSSH installs, so… meh.
Anyone who actually wants to know details of the vulnerability should read the website about it which is obviously much better than this article.
Also, since he doesn’t mention it, if on the Internet, the MITM would have to be installed at both end points (client side and server side) to be effective without the patch.
Huh? No. The attacker doesn’t need to be in two places or even near either end per se, they could be located at any fully on-path position between the client and server.
Ylönen, who at the time knew little about implementing strong cryptography in code, set out to develop the Secure Shell Protocol (SSH)
TIL SSH was invented by a Finn. I swear that country has the most awesome per capita of any country on earth.
Long dark winters when everyone is home without socializing with people. You have got to come up with something to survive until the two week summer.
Long dark winters when everyone is home without socializing with people. You have got to come up with something to survive until the two week summer.
Even the researcher who reported this doesn’t go as far as this headline.
“I am an admin, should I drop everything and fix this?”
Probably not.
The attack requires an active Man-in-the-Middle attacker that can intercept and modify the connection’s traffic at the TCP/IP layer. Additionally, we require the negotiation of either ChaCha20-Poly1305, or any CBC cipher in combination with Encrypt-then-MAC as the connection’s encryption mode.
[…]
“So how practical is the attack?”
The Terrapin attack requires an active Man-in-the-Middle attacker, that means some way for an attacker to intercept and modify the data sent from the client or server to the remote peer. This is difficult on the Internet, but can be a plausible attacker model on the local network.
Interpreting “a previously-unrecognized weakness in X was just found” as “X just got weaker” is dangerously bad tech writing.
I expect better of Ars. Absolute clickbait title and sensationalism. You need a two point MITM and even then it’s not a magic shell.
