SSH Communications issued a statement today about a Secure Shell 1.2 (SSH1) Advisory that the Computer Emergency Response Team (CERT) will release next week. SSH1 establishes encrypted communication between remote hosts. Although CERT has not made public any details about the advisory, SSH Communications commented that SSH 2.x (SSH2) already replaced SSH1, and SSH1 remains a freeware solution that the Internet Engineering Task Force (IETF) no longer endorses. CERT recently published four documents regarding vulnerabilities with SSH1.
SSH2 resolved the inherent security risks in the SSH1 protocol, which includes problems with access control and authentication, data integrity, session replays, and connection redirection, not to mention its support for the weaker Data Encryption Standard (DES) encryption algorithm. Although Secure Shell runs predominantly on UNIX-based systems, both SSH1 and SSH2 are available for Windows-based systems.
