Re: Terrapin

[Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>]

Before people get too caught up in kludging the SSH protocol and potentially
breaking lots of implementations to try and get around this problem (if there
is one), some thoughts...

1. We need to get a clear statement of just how big a deal this really is, not
   in theory, but in practice.  AFAICT it's more checkered-trouser-time than
   brown-trowser-time.

2. The problem isn't in the SSH protocol but in a third-party add-on to it,
   which means the simple fix is just "don't do that, then", not kludging all
   sorts of stuff onto the existing SSH protocol.  If you don't do that,
   there's no need to kludge anything.

3. The long-term fix is to create an IETF-standardised EtM mechanism to
   replace the third-party one.  For this I'd say it should hash the full
   handshake transcript not just the current practice of picking out little
   bits and pieces and only hashing those, which is practically begging for an
   attack (it's putting up a big "please attack here" sign on all the bits
   that don't get hashed), and changing the metadata processing so the current
   attack is no longer possible.  Oh, and it should be reviewed by SAAG or
   CFRG or BYOG or whoever feels responsible for this sort of thing to look at
   it before being pushed into production.

Peter.