openssh and keystroke timing attacks (again)

Alan Barrett apb at cequrux.com
Tue Dec 28 17:39:56 EST 2010


On Mon, 27 Dec 2010, Andrew Clausen wrote:
> I think Jason's approach is spot on:
>  * keystrokes should be only sent at predetermined intervals (eg:
> every 50ms, or 20 times a second)
>  * cover traffic at these fixed transmission times should be sent even
> if no keystroke is pressed.  This can be turned off whenever a user is
> idle for 3 seconds.

This idea has merit, but please make it adapt to low bandwidth and high
delay networks.  For example,
avoid sending dummy traffic if the transmit queue is not empty (which
probably signifies a low bandwidth or high loss connection); or move the
predetermined intervals further apart if the connection has high round
trip time.

--apb (Alan Barrett)


More information about the openssh-unix-dev mailing list