Ask HN: SSH is still safe, after NSA?
After all this news about NSA spying everything, is SSH still a safe tool? Almost certainly, provided you're running a recent-enough version. A snooper at the line level would be able to see that you were SSH'ing to a given system and the amount of data transferred, but nothing more. SSH has had very few vulnerabilities and has been really put through the ringer crypto-wise for quite some time. The protocol itself is likely quite solid. Of its common crypto algorithms, the only one I'd avoid is arcfour/RC4. It's an algorithm that's known to be somewhat weaker than other common algos. Blowfish, AES, CAST, Salsa20, Twofish, etc. are not known to have any practical real-world-usable attacks against full-round versions. Keep in mind that in the crypto world a "break" is anything that shortens the time to recover the key from that of a brute force search. So if I find a shortcut to crack a 2^128 key size symmetric cipher in "only" 2^112 iterations, that's a break. But it's not useful in the real world. To be useful in the real world, a break has to shorten things down to... well... depends on the adversary but probably <2^64. Of course you cannot rule out the possibility that the NSA has unpublished attacks against any of these, but most cryptographers I've read consider it somewhat unlikely that they have an unpublished attack good enough to efficiently crack them and read traffic in a real world scenario. > SSH'ing to a given system and the amount of data transferred, but nothing more. A passive eavesdropper sees very precise timing of every keystroke, as well as the timing and size of the response. This is enough to reconstruct text being typed with surprisingly good accuracy. [ignore this - see edits] i thought one problem with ssh was that it used tcp and too-large packets. hence that other thing that builds on top of it, and whose name i can't remember. having said that, i'm sure there is side channel info - i'm just not sure how precise things are. also, what cipher suite does ssh use. does it have forward secrecy? [edit1: to answer that last question; yes it does.] [edit2: paper on keystroke timing attack - http://users.ece.cmu.edu/~dawnsong/papers/ssh-timing.pdf - each keystroke is a packet; passwords have no echo. this is from 2001 - it has suggestions like sending packets when idle, but i don't think they've been implemented.] I am pretty sure NSA's would have better ways to get information about you than to just rely on periodicity of your keystrokes and doing all those analytics based on heuristics. This has nothing to do with 'information about me'. The NSA has bunch of old declassified internal newsletters on their website. Traffic and timing side channels analysis is classic, old-school SIGINT. SSH is not safe if you ssh into a resource (directly or indirectly) controlled by NSA. The protocol as such is secure in the sense that for an 'adversary' with average compute power, it is impossible to 'break' the protocol. As safe as your private key / password. > is SSH still a safe tool? Is there something better? Well ssh is a fairly complex daemon with quite a few features. For example with OpenSSH you can authenticate with a preshared key and challenge response or with PAM integration, or with a regular unix password. It also supports several types of encryption. All these things are useful but requires more code. Some people would argue that a very simple daemon with fewer features might be more secure because it has less attack area. For example Colin Percival of Tarsnap created spiped which essentially replaces 'ssh -L'. It only supports shared key authentication and AES-256 and consists of only about 4000 lines. He connects to ssh through a spipe tunnel. > Some people would argue that a very simple daemon with fewer features might be more secure because it has less attack area. If it's true for something like a web server, it ought to be true for SSH. Thanks for the link to spiped. > Is there something better? Not using the internet is better :P Yet, here we are. It has just occurred to me that I went from an employer for whom 'the internet' was just a medium over which biz was transacted to one for whom without 'the internet' would not exist at all.