Re: When SSH standards noncompliance is a "feature"

To: "Jeffrey T. Hutzelman" <jhutz%cmu.edu@localhost>, "ietf-ssh%netbsd.org@localhost" <ietf-ssh%netbsd.org@localhost>
Subject: Re: When SSH standards noncompliance is a "feature"
From: Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>
Date: Thu, 10 Jun 2021 16:35:12 +0000

Jeffrey T. Hutzelman <jhutz%cmu.edu@localhost> writes:

>About the only thing this does is prevent security scanning software from
>reporting the apparent presence of a vulnerable version.

Yup, and that's exactly the reason for doing it: You don't need to fix a vuln
when the scanner can't tell anyone you have it.

As Raymond Chen likes to say, "I bet somebody got a really nice bonus for that
feature".

Peter.

Follow-Ups:
- Re: When SSH standards noncompliance is a "feature"
  - From: Mouse

References:
- diffie-hellman-group14-sha256 vs ssh-rsa and SHA-1
  - From: Mouse
- Re: diffie-hellman-group14-sha256 vs ssh-rsa and SHA-1
  - From: Peter Gutmann
- Re: diffie-hellman-group14-sha256 vs ssh-rsa and SHA-1
  - From: Mouse
- Re: diffie-hellman-group14-sha256 vs ssh-rsa and SHA-1
  - From: Peter Gutmann
- Re: diffie-hellman-group14-sha256 vs ssh-rsa and SHA-1
  - From: Mouse
- Re: diffie-hellman-group14-sha256 vs ssh-rsa and SHA-1
  - From: Peter Gutmann
- When SSH standards noncompliance is a "feature"
  - From: Peter Gutmann
- Re: When SSH standards noncompliance is a "feature"
  - From: Jeffrey T. Hutzelman

Prev by Date: Re: When SSH standards noncompliance is a "feature"
Next by Date: Re: When SSH standards noncompliance is a "feature"
Previous by Thread: Re: When SSH standards noncompliance is a "feature"
Next by Thread: Re: When SSH standards noncompliance is a "feature"
Indexes:

Home | Main Index | Thread Index | Old Index