Differences

This shows you the differences between the selected revisions of the page.

2020-05-22 2021-12-06
grammar (martin) 5.20 Removed support for SSH-1 (martin)
Line 88: Line 88:
If this bug is detected, WinSCP will stop using ignore messages. This means that keepalives will stop working, and WinSCP will have to fall back to a secondary defense against [[#sshbug_plainpw1|SSH-1 password-length eavesdropping]]. If this bug is enabled when talking to a correct server, the session will succeed, but keepalives will not work and the session might be more vulnerable to eavesdroppers than it could be. If this bug is detected, WinSCP will stop using ignore messages. This means that keepalives will stop working, and WinSCP will have to fall back to a secondary defense against [[#sshbug_plainpw1|SSH-1 password-length eavesdropping]]. If this bug is enabled when talking to a correct server, the session will succeed, but keepalives will not work and the session might be more vulnerable to eavesdroppers than it could be.
 +
 +//The SSH-1 support has been removed in the latest beta version.// &beta
===== [[sshbug_plainpw1]] Refuses all SSH-1 password camouflage ===== ===== [[sshbug_plainpw1]] Refuses all SSH-1 password camouflage =====
Line 94: Line 96:
If this bug is detected, WinSCP will assume that neither ignore messages nor padding are acceptable, and that it thus has no choice but to send the user's password with no form of camouflage, so that an eavesdropping user will be easily able to find out the exact length of the password. If this bug is enabled when talking to a correct server, the session will succeed, but will be more vulnerable to eavesdroppers than it could be. If this bug is detected, WinSCP will assume that neither ignore messages nor padding are acceptable, and that it thus has no choice but to send the user's password with no form of camouflage, so that an eavesdropping user will be easily able to find out the exact length of the password. If this bug is enabled when talking to a correct server, the session will succeed, but will be more vulnerable to eavesdroppers than it could be.
-This is an %%SSH-1%%-specific bug. SSH-2 is secure against this type of attack. +This is an %%SSH-1%%-specific bug. SSH-2 is secure against this type of attack. //The SSH-1 support has been removed in the latest beta version.// &beta
===== Chokes on SSH-1 RSA authentication ===== ===== Chokes on SSH-1 RSA authentication =====
Line 102: Line 104:
If this bug is detected, WinSCP will go straight to password authentication. If this bug is enabled when talking to a correct server, the session will succeed, but of course %%RSA%% authentication will be impossible. If this bug is detected, WinSCP will go straight to password authentication. If this bug is enabled when talking to a correct server, the session will succeed, but of course %%RSA%% authentication will be impossible.
-This is an %%SSH-1%%-specific bug. +This is an %%SSH-1%%-specific bug. //The SSH-1 support has been removed in the latest beta version.// &beta
===== Further Reading ===== ===== Further Reading =====
Read more about [[ui_login|Login dialog]] and [[ui_login_advanced|Advanced Site Settings dialog]]. Read more about [[ui_login|Login dialog]] and [[ui_login_advanced|Advanced Site Settings dialog]].

Last modified: by martin