
Ask HN: SSH is still safe, after NSA? - hgfischer
After all this news about NSA spying everything, is SSH still a safe tool?
======
api
Almost certainly, provided you're running a recent-enough version.

A snooper at the line level would be able to see that you were SSH'ing to a
given system and the amount of data transferred, but nothing more.

SSH has had very few vulnerabilities and has been really put through the
ringer crypto-wise for quite some time. The protocol itself is likely quite
solid. Of its common crypto algorithms, the only one I'd avoid is arcfour/RC4.
It's an algorithm that's known to be somewhat weaker than other common algos.
Blowfish, AES, CAST, Salsa20, Twofish, etc. are not known to have any
practical real-world-usable attacks against full-round versions.

Keep in mind that in the crypto world a "break" is anything that shortens the
time to recover the key from that of a brute force search. So if I find a
shortcut to crack a 2^128 key size symmetric cipher in "only" 2^112
iterations, that's a break. But it's not useful in the real world. To be
useful in the real world, a break has to shorten things down to... well...
depends on the adversary but probably <2^64.

Of course you cannot rule out the possibility that the NSA has unpublished
attacks against any of these, but most cryptographers I've read consider it
somewhat unlikely that they have an unpublished attack good enough to
_efficiently_ crack them and read traffic in a real world scenario.

~~~
marshray
> SSH'ing to a given system and the amount of data transferred, but nothing
> more.

A passive eavesdropper sees very precise timing of every keystroke, as well as
the timing and size of the response.

This is enough to reconstruct text being typed with surprisingly good
accuracy.

~~~
keshy
I am pretty sure NSA's would have better ways to get information about you
than to just rely on periodicity of your keystrokes and doing all those
analytics based on heuristics.

~~~
marshray
This has nothing to do with 'information about me'. The NSA has bunch of old
declassified internal newsletters on their website. Traffic and timing side
channels analysis is classic, old-school SIGINT.

------
keshy
SSH is not safe if you ssh into a resource (directly or indirectly) controlled
by NSA. The protocol as such is secure in the sense that for an 'adversary'
with average compute power, it is impossible to 'break' the protocol.

------
ams0
As safe as your private key / password.

------
bdunbar
> is SSH still a safe tool?

Is there something better?

~~~
dmm
Well ssh is a fairly complex daemon with quite a few features. For example
with OpenSSH you can authenticate with a preshared key and challenge response
or with PAM integration, or with a regular unix password. It also supports
several types of encryption. All these things are useful but requires more
code.

Some people would argue that a very simple daemon with fewer features might be
more secure because it has less attack area. For example Colin Percival of
Tarsnap created spiped which essentially replaces 'ssh -L'. It only supports
shared key authentication and AES-256 and consists of only about 4000 lines.
He connects to ssh through a spipe tunnel.

[https://www.tarsnap.com/spiped.html](https://www.tarsnap.com/spiped.html)

~~~
bdunbar
> Some people would argue that a very simple daemon with fewer features might
> be more secure because it has less attack area.

If it's true for something like a web server, it ought to be true for SSH.
Thanks for the link to spiped.

