Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CACYkhxjnwt4Q4VVcHa90hQ4LkZTHmUeKTqVBg-59ryxSQTC5Qw@mail.gmail.com>
Date: Fri, 7 Nov 2014 10:24:26 +1100
From: Michael Samuel <mik@...net.net>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: Qt Creator fails to verify SSH host key

On 7 November 2014 00:04, Jason A. Donenfeld <Jason@...c4.com> wrote:
> I reported this bug to the development team, alongside another bug
> involving cipher-suite compatibility with OpenSSH 6.7 (no CTR modes). They
> marked the latter as priority 1, and fixed it within 24 hours. The former,
> however, has received a bit more of a hesitant reaction. The most recent
> vendor feedback seems to indicate they're not super interested in
> implementing this.

This is a serious bug (it certainly circumvents the security of
OpenSSH), but I think
the proposed fix doesn't fit.

What might be a better solution is to store the public key for all
devices, and accept
if it matches any device you've talked to before.  On discovering a
new device, it shows
the fingerprint and prompts for a name/description.

Then you can revoke devices in some other part of the UI when you need
to clean up.

Regards,
  Michael

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.