![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
thewayneThis is very bad.
SSH is one of the fundamental underpinnings that makes the internet and world wide web fundamentally secure. Well, we now know that it has some serious weaknesses.
What it boils down to is compatibility. There's lots of ways to implement SSH. Think of them as a whole bunch of switches, and each switch is a different implementation. Some are strong, some are not. They're all out there so that if I use Switch A and you use Switch B, we can still talk. Very convenient, but also a bit problematic. What happens if Switch C has some weaknesses to it?
The problem is that in lots of SSH implementations, Switch C is left turned on for ease of compatibility. And unless people know and specifically turn Switch C off, and all the other known weak switches off, then there are exploitable weaknesses.
The bad news? LOTS of systems are vulnerable. From the article: "A scan performed by the researchers found that 77 percent of SSH servers exposed to the Internet support at least one of the vulnerable encryption modes, while 57 percent of them list a vulnerable encryption mode as the preferred choice."
77% support the vulnerable mode and 57% PREFERRED IT? YIKES!
The good news is that it requires a Man In The Middle attack (MITMs), and those are not easy to carry out - but they can be done. The even better news is that the security researchers have released a scanner to let server administrators know if they are vulnerable. Some SSH packages have been patched to fix this issue, others I'm sure are in process. But there is also a likelihood that some implementations are not, or that some servers are not being updated for various reasons and will continue to be vulnerable.
I don't think this represents much of a problem for users, so much as for network administrators. Unless you're a very valuable person and likely to be targeted by hackers or world powers, you're not likely to have the resources to pull this off moved against you. As I said, MITMs are not easy to pull off, and if you're not Pentagon R&D level sort of stuff, you're probably safe. But I expect Apple and Microsoft and the various Linux distros will be patching their SSH bundles to make sure everything is good in the very near future, just to make sure.
Warning about the article: it gets REALLY deep into the SSH weeds, so don't bother with it if you're not already wise into the subject.
https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/
SSH is one of the fundamental underpinnings that makes the internet and world wide web fundamentally secure. Well, we now know that it has some serious weaknesses.
What it boils down to is compatibility. There's lots of ways to implement SSH. Think of them as a whole bunch of switches, and each switch is a different implementation. Some are strong, some are not. They're all out there so that if I use Switch A and you use Switch B, we can still talk. Very convenient, but also a bit problematic. What happens if Switch C has some weaknesses to it?
The problem is that in lots of SSH implementations, Switch C is left turned on for ease of compatibility. And unless people know and specifically turn Switch C off, and all the other known weak switches off, then there are exploitable weaknesses.
The bad news? LOTS of systems are vulnerable. From the article: "A scan performed by the researchers found that 77 percent of SSH servers exposed to the Internet support at least one of the vulnerable encryption modes, while 57 percent of them list a vulnerable encryption mode as the preferred choice."
77% support the vulnerable mode and 57% PREFERRED IT? YIKES!
The good news is that it requires a Man In The Middle attack (MITMs), and those are not easy to carry out - but they can be done. The even better news is that the security researchers have released a scanner to let server administrators know if they are vulnerable. Some SSH packages have been patched to fix this issue, others I'm sure are in process. But there is also a likelihood that some implementations are not, or that some servers are not being updated for various reasons and will continue to be vulnerable.
I don't think this represents much of a problem for users, so much as for network administrators. Unless you're a very valuable person and likely to be targeted by hackers or world powers, you're not likely to have the resources to pull this off moved against you. As I said, MITMs are not easy to pull off, and if you're not Pentagon R&D level sort of stuff, you're probably safe. But I expect Apple and Microsoft and the various Linux distros will be patching their SSH bundles to make sure everything is good in the very near future, just to make sure.
Warning about the article: it gets REALLY deep into the SSH weeds, so don't bother with it if you're not already wise into the subject.
https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/
no subject
Date: 2023-12-20 04:07 pm (UTC)no subject
Date: 2023-12-20 08:21 pm (UTC)Faint bells about the ntpd problem. Yeah, that one was odd. I'm just glad that I'm out of mainline IT and sitting snug in a university library. :) It's a never-ending game of cat and mouse with computer security, and too many people in management not seeing a profit or cost benefit from IT to spend enough on security and patching.
no subject
Date: 2023-12-20 08:31 pm (UTC)no subject
Date: 2023-12-21 05:57 am (UTC)Hugs, Jon
no subject
Date: 2023-12-21 06:03 am (UTC)You mean I know about as much about nursing as you do about Secure Shell? ROFL! Honestly, most of this article made a whooshing sound as it passed above my head. I understand the concepts involved, but this so far into the weeds that I'm still cleaning dirt out of my ears. I know what it is, what it's for, and I leave it to a different group of people to make sure it's maintained properly. Entirely out of my bailiwick. But I can recognize a serious problem!
no subject
Date: 2023-12-21 07:01 am (UTC)no subject
Date: 2023-12-21 07:55 pm (UTC)I had six operations before the 4th grade. I don't want to know anything. :) I've done my time.
no subject
Date: 2023-12-22 12:46 am (UTC)no subject
Date: 2023-12-26 03:29 am (UTC)... yep, there's a tidy pile of SSH stuff waiting there.
no subject
Date: 2023-12-26 06:58 pm (UTC)I knew the devs would be on it, with at least preliminary fixes and more refined stuff as time allows.
no subject
Date: 2023-12-27 02:23 am (UTC)