Re: Which one have more vulnerability history, SSH or OpenSSH ?

[Byron Sonne <blsonne () rogers com>]

> I would like to use openssh over commercial ssh. Which
> one has more security problems in the past? Some in my
> IT department claim that openssh is more unsecure bcoz
> it had more problems? Is it true? Or is it something
> in the long past.

This is not as simple a question as it might appear.

My personal estimate would be that yes, OpenSSH probably has more of a 
history of vulnerabilities being made public. But that's just a guess.
More people use OpenSSH so it is a more prevalent target. It's also a 
more attractive target; if you're a cracker you'll probably get more 
kudos from your buddies.

But then we have to give thought to what version numbers? If you're 
running anything that's out of date you're opening yourself to problems. 
And what flavour of OpenSSH, portable? If so, check this blurb from the 
http://www.openssh.org/ website

"Managing the distribution of OpenSSH is split into two teams. One team 
does strictly OpenBSD-based development, aiming to produce code that is 
as clean, simple, and secure as possible. We believe that simplicity 
without the portability "goop" allows for better code quality control 
and easier review. The other team then takes the clean version and makes 
it portable, by adding the portability "goop" so that it will run on 
many operating systems (these are known as the p releases, and named 
like "OpenSSH 3.8p1"). Please click on the provided link for your 
operating system."

So one could reasonably anticipate that by adding the "portability goop" 
you're going to open up a much, much wider field for vulnerabilities.

Also, was it built from source or installed as precompiled binaries? How 
was it configured? All valuable questions. And some of the 
vulnerabilities are not in OpenSSH but rather in libraries that it 
depends on, such as SSL type stuff.

I personally would still stick with OpenSSH for the foreseeable future. 
They tend to fix problems pretty quickly. Since it is open I feel very 
positive about their ability to adapt to user needs and concerns.


--

For Good, return Good. For Evil, return Justice.


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------