Re: [Curdle] [saag] Time for SSH3?

Peter Gutmann <pgut001@cs.auckland.ac.nz> Thu, 21 December 2023 01:36 UTC

From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Dmitry Belyavsky <beldmit@gmail.com>, David Schinazi <dschinazi.ietf@gmail.com>
CC: saag <saag@ietf.org>, "curdle@ietf.org" <curdle@ietf.org>
Thread-Topic: [Curdle] [saag] Time for SSH3?
Thread-Index: AQHaMy5mbhsuFmqslEGvkPxSGLInyLCyB9lBgAAiLoCAADSQgIAAAKEAgABC84CAAAFGgIAAUiQ5
Date: Thu, 21 Dec 2023 01:36:23 +0000
Message-ID: <SY4PR01MB625125FF67B962FC34B8099BEE95A@SY4PR01MB6251.ausprd01.prod.outlook.com>
References: <GVXPR07MB96789816DE49A02D46AC25628996A@GVXPR07MB9678.eurprd07.prod.outlook.com> <SY4PR01MB6251678A7FD714B5CDC26A8FEE96A@SY4PR01MB6251.ausprd01.prod.outlook.com> <30cd214d9666d142cd8987ead79d5b42.squirrel@mail.ihtfp.org> <20231220163501.GB297455@mit.edu> <2b86631f-1d3c-4a58-a668-233d36368a36@cs.tcd.ie> <CAPDSy+5=LjQ6Tk_s_-61dbSZ+Bd39OCQE9iyH+8fR3cv6ZfiMg@mail.gmail.com> <CADqLbz+HnA4UPcDPSm_-v9ih8N-F8P+meSeppwkNKW6-24FvYQ@mail.gmail.com>
In-Reply-To: <CADqLbz+HnA4UPcDPSm_-v9ih8N-F8P+meSeppwkNKW6-24FvYQ@mail.gmail.com>
Accept-Language: en-NZ, en-US
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SY4PR01MB6251:EE_|MEWPR01MB8784:EE_
x-ms-office365-filtering-correlation-id: 4e854e1d-5d56-4bc6-865f-08dc01c53d96
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: qd3IU+2cyqnIRPd0TBK0I151+914c14bTZzJ/zWfYVECwo5a+SWkiuT6+IO0VDPYoNQrIgoGF3MA7aI89IjlYkMICprAx6xS8+1zKcN8zHa795SvPCcTdqnPofbVMar/CUYvg+VwJwHI0WGF4wMMYgVlXECpCVXw4U8jHzsS48rwsy2LMPRNbKsA6nQi1X3RR8csD37ga0SGP/CEgXVtqbU0B1AfFukn8s481QgBBMTCrCn7bI2ql4L0lgyTENoW5uadq5+nHvmOmbyOO3tzdDHtWuGJiO1MlA08QgpP3O9kY5zlKgPAHldr8dUlByxzkykSFku7SijTd58U7//I4flOXoAWW8+I1rRr8M8PbaoKt9UM63uELSk3d96rauLlNVvjcRly9UxNGLinYWHxDowfB5il5HM12M7Sxl5bbdfT4uB+8rP4WWL7mGs3DRsiYqt10fcPYK1yhW4X+2U3UF7zzG+xoZlaILD5ULJ2d2g9IF/j9Gn9sab9BR0vBBRxolOF5m16la6BN6Ng29gAueug6ZA9PtgMcb+YecGLy1WYEhnSAenibYXUKF1Sgf99Zxft+u3kthauESUm4zsy7J3dNjdhWXPDAinSUsvvAG+eRwx2JDS6k79IRalH3cxH
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SY4PR01MB6251.ausprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(396003)(39860400002)(346002)(376002)(366004)(136003)(230922051799003)(451199024)(186009)(1800799012)(64100799003)(83380400001)(26005)(66446008)(71200400001)(9686003)(6506007)(7696005)(478600001)(64756008)(66476007)(2906002)(5660300002)(4744005)(52536014)(41300700001)(76116006)(4326008)(8936002)(8676002)(110136005)(54906003)(66946007)(66556008)(786003)(316002)(33656002)(38100700002)(122000001)(38070700009)(86362001)(55016003); DIR:OUT; SFP:1101
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ttuV/EpY1lN7bYOlq6OS1fyFbTtgPzniaFU0fT8V7z1yItbNP/1K+c8bpf2useNi7RY0bRhxqo9BCFmLXsHR0k3AKfSCD3ZBz7J5LwhThTEH+ffRmhuyz5KbhbiZ14mNovADFauV56ORvK6XjyHuacyChi6j0DIZeyMC2vIN7aQsfYlNDKlxy8c7h9tI6QAnNGAbc061PDl67uHEMhOJylnqkOosIPnG93dmmg0zxT+jJ8ga/I8mio5u790Z+OGtWvWpoFy8QJF/N0E35YamT9X7jNZGA+NAPvb+VqNF0mDPDK3h2SntJxxpNeH/78O29CGC83gIis/QhDtb+PGL3Vd/v5SzcHDrYB2p+AzNar/5bfRXm2MdybfKRRpzSBIc36lWJ40xoioAzs7kdNI/PEEBz7RwFQVOE32KZst6CLqYEcg4bowGmKC/kxrPwQbGGrGFGBPz7FUKqrhLjUPbDz+ntfXQ1e41ANGm/u2Ciens1WESHHjBbL83T+dRpwZlmRO9NBSJThlygkQjYhHviQdJPDLV5Otx9CWe5gsrzEdWCPtJHZ184h5PgURtDCgaXH9zJzRgl/SrytSYlq0ZSw7Ao5v+sVafdcqk5mvH/NZ1O7P8gBp1y6VYgNk8of2rPk3QSeIhGA1LSoZbVTKSUCW/Gsc/3aOID7cgtm8qBZ8hAlg3WrutRhH4QH4cyMJsIsIngdlkH0kJdzEJeSE2CZrXgl1D9b9zMGMtC/lllUMwhiQEjVM0ZADQmU0qePx7B/0Oi9sN+UdKWsGWtCXOfWAxY2H7geC/Cu0Kx1Q1uwruxzHnrwZNCuCQsKVHIs+JGhYP6RcRMYmNmv7gPmDi5WlCb+M+6KZzAwYIYd9/0mlm9bO1NA2jJ+EOO52BSAH+uQ8MlTnJRtQzWDw4w1LoX8cokADo68hug22NPN/6O48klx9g4BP/1y1ppnCGk4YgVxD6rpoi3Vq8OxnMwl3vqYKpE0K2tkG2oJQE+DZ+VN5FIXqFySlaPOfQlieK139T1lrSHdG9h6Q8oRg0DbL2wFhSqNoRJxufseRoSexGXtLUDxOCe+mW692RabYWxl2DokdRLD7xfx0TYx9dPHrAodFs8OO+SK9ioOAdLvSufLAV/JOykloNizyiguBAJD0v4WnM6o3EopO14PoMexxqdkbQsC9wtIhMbDpRvrn8b9pYJAK2omSwQ1Ww9D++bw8ef0UwsQwLqboVfg0RB7oo4uaFbxssyYaTBQMNUOxcjq4mor3+aAqsASFFb0nH8Qk8vbBx0sOyQbg53uXGeKxVUzFVSqDtFMpMKX3yXtliJbQrrwXGlQjNG32OhgI3OCUUxNhveIUUCBi8p8nlVsusbEe3/3JXUrj+4S/uipXUo9RLoBhcZ/pR/RSfAXqmCxZEKoqZVrErZZWknvcJqjrj2J+FSGMgJGjJGDbWq4t2G19QUXwd1LgV8r8mW/R4Dpsn1TnRk/lMXdv4VEmHOexSTyjV3XLvUvP3oXIxtd0X9XZU2YZx5GsQV8CCOE/yHA7q6zCTD7Q3QixHoBmmjlO7jCupn2GFh6dMs7C4JDWUxG9IHe9YVgHEq/aW0gPPN3Bz
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SY4PR01MB6251.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4e854e1d-5d56-4bc6-865f-08dc01c53d96
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Dec 2023 01:36:23.2643 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: sPn5tDfH0HyENrjoNOM6LPABokL3RcHKc1s7SRNHdmmpjnbpHpvXVTK71C5UHc9EzQioZG3chBMWvp/isDycOt9wUQ6BlEYfeH1J+h99NFk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MEWPR01MB8784
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/K5hxQyTa_80su_A9CzHmAel_87U>
Subject: Re: [Curdle] [saag] Time for SSH3?
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Dec 2023 01:36:54 -0000

Dmitry Belyavsky <beldmit@gmail.com> writes:

>Well, TLS 1.3 had to be redesigned to mimic TLS 1.2 and got 50% sites
>supporting it only in November 2021 despite all the advantages.

That's *web* sites, not sites in general.  For non-web use, it's going to take
years, up to 1-2 decades, to switch fully to TLS 1.3.

With SSH it's even worse, it's pretty much the universal access mechanism for
anything and everything that needs CLI access, and those devices often run
until the hardware fails, with hardware that's designed not to fail much in
the first place.  I've still got bug-workarounds for 20-year-old SSH bugs in
my code because systems are still running that, the last thing you want to do
is throw a completely new incompatible protocol into that situation.

As I pointed out previously, a large majority of these devices are immune to
this attack because they never implemented the @openssh.com homebrew
mechanisms in the first place, so there isn't even anything to fix there.

Peter.

[Curdle] Time for SSH3? John Mattsson
Re: [Curdle] Time for SSH3? Ilari Liusvaara
Re: [Curdle] Time for SSH3? Peter Gutmann
Re: [Curdle] [saag] Time for SSH3? Derek Atkins
Re: [Curdle] [saag] Time for SSH3? Eric Rescorla
Re: [Curdle] [saag] Time for SSH3? Theodore Ts'o
Re: [Curdle] [saag] Time for SSH3? Stephen Farrell
Re: [Curdle] [saag] Time for SSH3? Dmitry Belyavsky
Re: [Curdle] [saag] Time for SSH3? David Schinazi
Re: [Curdle] [saag] Time for SSH3? Tim Hollebeek
Re: [Curdle] [saag] Time for SSH3? Theodore Ts'o
Re: [Curdle] [saag] Time for SSH3? Peter Gutmann
Re: [Curdle] [saag] Time for SSH3? Peter Gutmann
Re: [Curdle] [saag] Time for SSH3? Watson Ladd
Re: [Curdle] Time for SSH3? Matt Johnston
Re: [Curdle] Time for SSH3? Peter Gutmann
Re: [Curdle] [saag] Time for SSH3? Paul Wouters
Re: [Curdle] [saag] Time for SSH3? Peter Gutmann
Re: [Curdle] [saag] Time for SSH3? Orie Steele
Re: [Curdle] [saag] Time for SSH3? Theodore Ts'o