Packet Timing and Data Leaks
Chris Rapier
rapier at psc.edu
Tue Aug 8 06:44:04 AEST 2023
On 8/7/23 1:06 PM, Thorsten Glaser wrote:
> On Mon, 7 Aug 2023, Howard Chu wrote:
>
>>>> The keystroke timing issue would be solved by adding LINEMODE support as I did back in 2010.
>>>> https://lists.mindrot.org/pipermail/openssh-unix-dev/2010-June/028732.html
>>>
>>> Local line editing by using GNU libreadline? *shudder* No, thanks.
>>
>> I also ported it to use libedit instead, but readline is more widely used.
>
> Yeah, same point though. I actually did work with such a system once,
> namely Android adb before they removed the local line editing part
> once they had imported mksh, and it was awful. You lose any sort of
> connection to the command line input mode of the remote shell (not
> everyone uses a shell backed by libreadline/libedit), and even
> passwords would show up in the scrollback, etc. but the worst is the
> missing tab completion.
>
> I also doubt it will catch many relevant use cases, e.g. editors.
I think these are valid critiques and using something like this against
a "maybe it's an issue" thing is a bit heavy at this point. However, as
an intellectual exercise, could interpacket timing actually be a
potential information leak in an interactive ssh session? If so, then
how much a threat is it really? So assuming that it could be done and
that it's a reasonable threat how would we go about mitigating it?
Honestly, just curious about what people think. I don't know if this
could ever be a real issue or if I'm just being overly imaginative.
Chris
More information about the openssh-unix-dev
mailing list