[api]

Almost certainly, provided you're running a recent-enough version.

A snooper at the line level would be able to see that you were SSH'ing to a given system and the amount of data transferred, but nothing more.

SSH has had very few vulnerabilities and has been really put through the ringer crypto-wise for quite some time. The protocol itself is likely quite solid. Of its common crypto algorithms, the only one I'd avoid is arcfour/RC4. It's an algorithm that's known to be somewhat weaker than other common algos. Blowfish, AES, CAST, Salsa20, Twofish, etc. are not known to have any practical real-world-usable attacks against full-round versions.

Keep in mind that in the crypto world a "break" is anything that shortens the time to recover the key from that of a brute force search. So if I find a shortcut to crack a 2^128 key size symmetric cipher in "only" 2^112 iterations, that's a break. But it's not useful in the real world. To be useful in the real world, a break has to shorten things down to... well... depends on the adversary but probably <2^64.

Of course you cannot rule out the possibility that the NSA has unpublished attacks against any of these, but most cryptographers I've read consider it somewhat unlikely that they have an unpublished attack good enough to efficiently crack them and read traffic in a real world scenario.

[marshray]

> SSH'ing to a given system and the amount of data transferred, but nothing more.

A passive eavesdropper sees very precise timing of every keystroke, as well as the timing and size of the response.

This is enough to reconstruct text being typed with surprisingly good accuracy.

[andrewcooke]

[ignore this - see edits] i thought one problem with ssh was that it used tcp and too-large packets. hence that other thing that builds on top of it, and whose name i can't remember. having said that, i'm sure there is side channel info - i'm just not sure how precise things are.

also, what cipher suite does ssh use. does it have forward secrecy?

[edit1: to answer that last question; yes it does.]

[edit2: paper on keystroke timing attack - http://users.ece.cmu.edu/~dawnsong/papers/ssh-timing.pdf - each keystroke is a packet‎; passwords have no echo. this is from 2001 - it has suggestions like sending packets when idle, but i don't think they've been implemented.]

[keshy]

I am pretty sure NSA's would have better ways to get information about you than to just rely on periodicity of your keystrokes and doing all those analytics based on heuristics.

[marshray]

This has nothing to do with 'information about me'. The NSA has bunch of old declassified internal newsletters on their website. Traffic and timing side channels analysis is classic, old-school SIGINT.