If you use putty or puttygen, update to the latest version..
Putty just announced that versions earlier than 0.80 were generating ecdsa-sha2-nistp521 that were flawed.. If you have any of these keys lying around, destroy them and regenerate keys. Tim. -- I am leery of the allegiances of any politician who refers to their constituents as "consumers".
Tim Keller via WLUG <wlug@lists.wlug.org> writes:
Putty just announced that versions earlier than 0.80 were generating ecdsa-sha2-nistp521 that were flawed..
If you have any of these keys lying around, destroy them and regenerate keys.
I had never heard of Putty, but this sounded dire. There are many things that I never heard of that are installed by my Linux distribution (Debian) and are essential for it's operation. Do I have putty keys lying around? I Google search reveals that this question has been asked by many other people and answered by many more people who have no idea what they are talking about. My current best guess is that PuTTy is a MeSs-Windows implementation of the ssh protocol that has been ported to Linux, for no good reason since the ssh program works better. Therefore I plan to ignore this dire warning. Does anybody think I am mistaken? -- Keith PS: In any case, this particular "security vulnerability" seems like it might be something to worry about iff you work for the CIA and think that the KGB may be spending mega-$ and years of work to steal your secrets. Nobody wants to steal my secrets. I am more worried that some random thug might break a window and steal my computer.
I've mostly seen putty used by Windows users, and Linux users that recently moved from Windows. If you were using it, you would know. You should be good. On Wed, Apr 17, 2024, 9:34 AM Keith Wright via WLUG <wlug@lists.wlug.org> wrote:
Tim Keller via WLUG <wlug@lists.wlug.org> writes:
Putty just announced that versions earlier than 0.80 were generating ecdsa-sha2-nistp521 that were flawed..
If you have any of these keys lying around, destroy them and regenerate keys.
I had never heard of Putty, but this sounded dire. There are many things that I never heard of that are installed by my Linux distribution (Debian) and are essential for it's operation. Do I have putty keys lying around?
I Google search reveals that this question has been asked by many other people and answered by many more people who have no idea what they are talking about.
My current best guess is that PuTTy is a MeSs-Windows implementation of the ssh protocol that has been ported to Linux, for no good reason since the ssh program works better.
Therefore I plan to ignore this dire warning.
Does anybody think I am mistaken?
-- Keith
PS: In any case, this particular "security vulnerability" seems like it might be something to worry about iff you work for the CIA and think that the KGB may be spending mega-$ and years of work to steal your secrets. Nobody wants to steal my secrets. I am more worried that some random thug might break a window and steal my computer. _______________________________________________ WLUG mailing list -- wlug@lists.wlug.org To unsubscribe send an email to wlug-leave@lists.wlug.org Create Account: https://wlug.mailman3.com/accounts/signup/ Change Settings: https://wlug.mailman3.com/postorius/lists/wlug.lists.wlug.org/ Web Forum/Archive: https://wlug.mailman3.com/hyperkitty/list/wlug@lists.wlug.org/message/6RYVLL...
Keith: Putty is an SSH client for windows. On a very cool side note, my co-worker Nick Howgrave-Graham, who a couple years ago came and gave a talk about encryption and math and public private key stuff. The researchers who found this flaw cited his work.. Quote from the PDF: Many works in the literature have exploited side-channel information about (EC)DSA nonces by solving the Hidden Number Problem (HNP), e.g. [65, 19, 55, 12, 70, 75, 71, 63, 80, 46], since the seminal works of Bleichenbacher [18] and Howgrave-Graham and Smart [45]. Nick is a brilliant guy and it's cool that his work is still being used to find flaws. Tim. On Wed, Apr 17, 2024 at 12:40 PM Gregory Boyce <gregory.boyce@gmail.com> wrote:
I've mostly seen putty used by Windows users, and Linux users that recently moved from Windows.
If you were using it, you would know. You should be good.
On Wed, Apr 17, 2024, 9:34 AM Keith Wright via WLUG <wlug@lists.wlug.org> wrote:
Tim Keller via WLUG <wlug@lists.wlug.org> writes:
Putty just announced that versions earlier than 0.80 were generating ecdsa-sha2-nistp521 that were flawed..
If you have any of these keys lying around, destroy them and regenerate keys.
I had never heard of Putty, but this sounded dire. There are many things that I never heard of that are installed by my Linux distribution (Debian) and are essential for it's operation. Do I have putty keys lying around?
I Google search reveals that this question has been asked by many other people and answered by many more people who have no idea what they are talking about.
My current best guess is that PuTTy is a MeSs-Windows implementation of the ssh protocol that has been ported to Linux, for no good reason since the ssh program works better.
Therefore I plan to ignore this dire warning.
Does anybody think I am mistaken?
-- Keith
PS: In any case, this particular "security vulnerability" seems like it might be something to worry about iff you work for the CIA and think that the KGB may be spending mega-$ and years of work to steal your secrets. Nobody wants to steal my secrets. I am more worried that some random thug might break a window and steal my computer. _______________________________________________ WLUG mailing list -- wlug@lists.wlug.org To unsubscribe send an email to wlug-leave@lists.wlug.org Create Account: https://wlug.mailman3.com/accounts/signup/ Change Settings: https://wlug.mailman3.com/postorius/lists/wlug.lists.wlug.org/ Web Forum/Archive: https://wlug.mailman3.com/hyperkitty/list/wlug@lists.wlug.org/message/6RYVLL...
-- I am leery of the allegiances of any politician who refers to their constituents as "consumers".
participants (3)
-
Gregory Boyce -
Keith Wright -
Tim Keller