Differences

This shows you the differences between the selected revisions of the page.

2008-04-18 2008-04-28
login dialog in caption (martin) 4.1 putty 0.60 refuses camouflage desc update (martin)
Line 24: Line 24:
When talking to an SSH-1 server which cannot deal with [[ui_login_bugs#chokes_on_ssh-1_ignore_messages|ignore messages]], WinSCP will attempt to disguise the length of the user's password by sending additional padding within the password packet. This is technically a violation of the SSH-1 specification, and so WinSCP will only do it when it cannot use standards-compliant ignore messages as camouflage. In this sense, for a server to refuse to accept a padded password packet is not really a bug, but it does make life inconvenient if the server can also not handle ignore messages. When talking to an SSH-1 server which cannot deal with [[ui_login_bugs#chokes_on_ssh-1_ignore_messages|ignore messages]], WinSCP will attempt to disguise the length of the user's password by sending additional padding within the password packet. This is technically a violation of the SSH-1 specification, and so WinSCP will only do it when it cannot use standards-compliant ignore messages as camouflage. In this sense, for a server to refuse to accept a padded password packet is not really a bug, but it does make life inconvenient if the server can also not handle ignore messages.
-If this 'bug' is detected, WinSCP will have no choice but to send the user's password with no form of camouflage, so that an eavesdropping user will be easily able to find out the exact length of the password. If this bug is enabled when talking to a correct server, the session will succeed, but will be more vulnerable to eavesdroppers than it could be.·+If this bug is detected, WinSCP will assume that neither ignore messages nor padding are acceptable, and that it thus has no choice but to send the user's password with no form of camouflage, so that an eavesdropping user will be easily able to find out the exact length of the password. If this bug is enabled when talking to a correct server, the session will succeed, but will be more vulnerable to eavesdroppers than it could be.
This is an SSH-1-specific bug. SSH-2 is secure against this type of attack. This is an SSH-1-specific bug. SSH-2 is secure against this type of attack.

Last modified: by martin