Date: Fri, 7 Nov 2014 10:24:26 +1100 From: Michael Samuel <mik@...net.net> To: oss-security@...ts.openwall.com Subject: Re: CVE Request: Qt Creator fails to verify SSH host key On 7 November 2014 00:04, Jason A. Donenfeld <Jason@...c4.com> wrote: > I reported this bug to the development team, alongside another bug > involving cipher-suite compatibility with OpenSSH 6.7 (no CTR modes). They > marked the latter as priority 1, and fixed it within 24 hours. The former, > however, has received a bit more of a hesitant reaction. The most recent > vendor feedback seems to indicate they're not super interested in > implementing this. This is a serious bug (it certainly circumvents the security of OpenSSH), but I think the proposed fix doesn't fit. What might be a better solution is to store the public key for all devices, and accept if it matches any device you've talked to before. On discovering a new device, it shows the fingerprint and prompts for a name/description. Then you can revoke devices in some other part of the UI when you need to clean up. Regards, Michael
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.