keystroke timing attack

[Markus Friedl]

On Sat, Nov 10, 2001 at 10:49:12AM +0100, Denis Ducamp wrote:
> With a recent openssh, exact password lengths aren't guessable; but
> passwords typed in the ssh session, ie after ssh authentication, are
> detectable because there isn't any echo returned by the server to the
> client.

note that recent openssh servers trie to send back fake echo packets
and defeat the SU-signature.

-m