[tptacek]

You're right: there is more incentive to find OpenSSH vulnerabilities than spiped vulnerabilities, and so the absence of OpenSSH vulnerabilities is more telling than the absence of spiped vulnerabilities.

But spiped is so much simpler than OpenSSH that more is going on: it's not merely that fewer people are looking, but that there is less to find.

Look over the history of OpenSSH vulnerabilities and reduce them to the subset that could possibly have affected spiped and you'll see what I mean. spiped benefits from having less mechanism than OpenSSH.

The idea behind deploying spiped is that you leave OpenSSH exposed for the tiny window of time required to get spiped deployed, and then you turn it off. Even if OpenSSH is totally broken, you still benefit from the fact that attackers aren't omniscient. A similar, weaker property is the reason every host running nginx hasn't been owned up.

[hueving]

>Look over the history of OpenSSH vulnerabilities and reduce them to the subset that could possibly have affected spiped and you'll see what I mean. spiped benefits from having less mechanism than OpenSSH.

This is true, but if you were using them to solve the same use-cases (fixed tunneling between hosts), how often would those OpenSSH vulnerabilities have been exploitable?

I apologize for arguing with you. The votes my comments are receiving have indicated to me that my input on this subject is not welcome in this community.

[tptacek]

Breathe. The downvotes you got (I wasn't one of them) indicated that people disagree with you. Probably by default, because they know who me and Colin are.

It's also a useful point that not all of OpenSSH's additional mechanism is implicated when doing point-to-point tunneling. But look at the actual vulnerabilities: some of them are!

[hueving]

>The downvotes you got (I wasn't one of them) indicated that people disagree with you. Probably by default, because they know who me and Colin are.

Doesn't that make you sad inside?