Hacker News new | ask | show | jobs
by stuff4ben 2250 days ago
This would primarily affect web servers exposing SSH access to the public right? I suppose it also affects internally accessible servers as well but to a lesser degree in terms of priority.
1 comments
detaro 2250 days ago
SSH != SSL. EDIT: Expect web servers running HTTPS in modern configurations to be affected, and other TLS based protocols. SSH is fine.
link
chupa-chups 2250 days ago
Both SSH and SSL base on TLS. The leak in question has a problem

> during or after a TLS 1.3 handshake

Sure, openSSL is not SSH, but it is not unreasonable to assume this leak may affect web servers as well (e.g. by being based on the same underlying TLS implementation).

"SSH != SSL" is a bit short to invalidate the assumption of the OP. I'd not be so sure this problem does not affect "web server X".

https://en.wikipedia.org/wiki/Transport_Layer_Security

OK, learnt something new today: https://crypto.stackexchange.com/questions/60255/why-doesnt-...

https://xkcd.com/1053/

Thanks! :)

link
notaplumber 2250 days ago
> Both SSH and SSL base on TLS.

You are very mistaken. OpenSSH only uses OpenSSL (or LibreSSL) as an optional dependency for the libcrypto primitives (RSA/AES etc). NOT for libssl.

The SSH protocol has nothing to do with either SSL or TLS.

link
hannob 2250 days ago
> Both SSH and SSL base on TLS

No.

link
detaro 2250 days ago
The parent is asking if primarily servers exposing "SSH" are affected. I should be less glib though, fair enough. will edit.
link