We've just released #PuTTY version 0.80! This is a SECURITY UPDATE, fixing the newly discovered 'Terrapin' #vulnerability, aka CVE-2023-48795, in some widely used #SSH protocol extensions.
Introducing a new Hashtag: #BigJiaTanVibes To be used when someone tries to put abusive pressure on a maintainer to make way for whatever feature (or obfuscated backdoor) they claim is needed.
Can also be used in a positive way, e.g. when after many years a truly helpful feature gets included as a result of the negative outcome of said hashtag.
Example for the positive version: systemd notify is now implemented natively, without dependency, to #OpenSSH.
Today I learned that each time you derive an OpenSSH private key (say from an ed25519 private key), by design, you get a slightly different key (12 of the characters will be unique to each exported key even though the keys are equivalent to one another).
This crate paves the way for convenient handling of #OpenPGP card User PINs, for users whose threat model allows persisting the PIN locally on the host computer.
If a User PIN is stored, applications can obtain it via this crate, and perform cryptographic operations without prompting the user for PIN entry.
Currently org.freedesktop.Secret is supported for storage.
This SSH agent explores an absolutely streamlined UX for doing ssh backed by OpenPGP card-based key material.
After persisting the User PIN once, like this: "$ openpgp-card-state put --user-pin 123456 0000:01234567", the ssh agent can be used without any user interaction.
🔐 OpenSSH Announces Plan to Phase Out DSA Keys
ᐅ @linuxiac
「 Its limitations have long been recognized, particularly its restriction to a 160-bit private key and reliance on the SHA1 digest.
These constraints render its security level equivalent to less than or equal to 80 bits in symmetric encryption, a standard considered insufficient in the current cybersecurity landscape 」
Here's a thorough analysis of all the commits by "Jia Tan" from 2023-08 through 2024-03, showing the many legitimate code changes done before the introduction of the #xz#backdoor:
A Backdoor in XZ Utils was found!
To know if you are affected rune:
xz -V in your terminal
if like me you have XZ 5.6.0 or XZ 5.6.1 downgrade XZ Utils to an earlier version, such as 5.4.6 (Stable) or disable ssh
🔓Technologist vs spy: the xz backdoor debate | lcamtuf
「 Up to that point, xz had a single maintainer — Lasse Collin — who was dealing with health issues and wasn’t fully engaged. Shortly after the arrival of “Jia”, several apparent sock puppet accounts showed up and started pressuring Lasse to pass the baton; it appears that he relented at some point in 2023 」
Terrapin enables attackers to manipulate or remove messages exchanged in the communication channel, resulting in the degradation of public key algorithms.