Re: Which one have more vulnerability history, SSH or OpenSSH ?
From: Byron Sonne (blsonne_at_rogers.com)
Date: 03/15/04
- Previous message: Mark G. Spencer: "Generating digital certificates?"
- In reply to: chumma chumma: "Which one have more vulnerability history, SSH or OpenSSH ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 15 Mar 2004 13:50:08 -0500 To: chumma chumma <ammavanayi@yahoo.co.in>, security-basics@securityfocus.com
> I would like to use openssh over commercial ssh. Which
> one has more security problems in the past? Some in my
> IT department claim that openssh is more unsecure bcoz
> it had more problems? Is it true? Or is it something
> in the long past.
This is not as simple a question as it might appear.
My personal estimate would be that yes, OpenSSH probably has more of a
history of vulnerabilities being made public. But that's just a guess.
More people use OpenSSH so it is a more prevalent target. It's also a
more attractive target; if you're a cracker you'll probably get more
kudos from your buddies.
But then we have to give thought to what version numbers? If you're
running anything that's out of date you're opening yourself to problems.
And what flavour of OpenSSH, portable? If so, check this blurb from the
http://www.openssh.org/ website
"Managing the distribution of OpenSSH is split into two teams. One team
does strictly OpenBSD-based development, aiming to produce code that is
as clean, simple, and secure as possible. We believe that simplicity
without the portability "goop" allows for better code quality control
and easier review. The other team then takes the clean version and makes
it portable, by adding the portability "goop" so that it will run on
many operating systems (these are known as the p releases, and named
like "OpenSSH 3.8p1"). Please click on the provided link for your
operating system."
So one could reasonably anticipate that by adding the "portability goop"
you're going to open up a much, much wider field for vulnerabilities.
Also, was it built from source or installed as precompiled binaries? How
was it configured? All valuable questions. And some of the
vulnerabilities are not in OpenSSH but rather in libraries that it
depends on, such as SSL type stuff.
I personally would still stick with OpenSSH for the foreseeable future.
They tend to fix problems pretty quickly. Since it is open I feel very
positive about their ability to adapt to user needs and concerns.
-- For Good, return Good. For Evil, return Justice. --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
- Previous message: Mark G. Spencer: "Generating digital certificates?"
- In reply to: chumma chumma: "Which one have more vulnerability history, SSH or OpenSSH ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
