LZ4 compression in openssh

Damien Miller djm at mindrot.org
Tue Oct 29 13:01:08 EST 2013


On Mon, 28 Oct 2013, Aris Adamantiadis wrote:

> Also nice to know that zlib at openssh.com enables the compression only
> after authentication, mitigating the known problems with compression
> and passwords. It is also very hard to do chosen-plaintext attacks on
> the client to server side (in opposite to HTTPS where that's trivial).
> And most passwords that are typed after authentications are entered
> character by character, making them fall under the padding length
> anyway. I think the compression vulnerabilities in CRIME are not
> appliable to SSH with delayed compression.

I think CRIME-like attacks would be impractical for SSH anyway. HTTPS is
somewhat special in that an attacker may plausibly force their victim to
make an effectively unlimited number of connections containing chosen
plaintext. This set of circumstances is pretty far from usual for SSH.

-d


More information about the openssh-unix-dev mailing list