undefined | Better HN

0 pointsMsurrow1mo ago0 comments

I’m calling it consultant speak because your response to an argument is to bring up something else, instead of actually responding.

The same with this last reply; you can keep throwing out new points all you want, but thats not going to make you correct in the original question.

Saying or implying that one software has a “principle” risk of vulnerabilities that another software doesn’t is plain and simply wrong.

And that has nothing to do with all the other stuff about layered defence, vpns, enterprise security, chatty protocols or whatever you want to pile on the discusion.

0 comments

rl31mo ago

Your question was this:

>So what’s the difference in risk of ssh software vulns and other software vulns?

I proceeded to explain how large companies think about the issue and what their rationale is for not exposing SSH endpoints to the public internet. On the technical side, I compared SSH to WireGuard.

For that comparison, the chattiness of their respective protocols was directly relevant.

Likewise complexity: between two highly-audited pieces of software, the silent one that's vastly simpler tends to win from a security perspective.

All of those points seem highly relevant to your question.

>... but thats not going to make you correct in the original question.

If you can elucidate what I said that was incorrect, I'm all ears.

MsurrowOP1mo ago

You are still implying that wireguard are somehow different from ssh in its suceptibilty to vulnerabilities existing or being introduced into its codebase. And it simply is not.

Edit: codebase of ssh/wireguard implementations, just to be clear

rl31mo ago

Yes, the two are very different in that regard.

WireGuard is 4k LoC and is very intentional about its choice of using a single, static crypto implementation to drastically reduce its complexity. Technically speaking, it has a lower attack surface for that reason.

That said, I've been on your side of the argument before, and practically speaking you can expose OpenSSH on the public internet with a proper key setup and almost certainly nothing will happen because it's a highly-audited, proven piece of software. Even though it's technically very complex.

But, that still doesn't mean it isn't best practice to avoid exposing it to the public internet. Especially when you can put things in front of it (such as WireGuard) that have a much lower technical complexity, and thus a reduced attack surface.

1 more reply

j / k navigate · click thread line to collapse

0 pointsMsurrow1mo ago0 comments

I’m calling it consultant speak because your response to an argument is to bring up something else, instead of actually responding.

The same with this last reply; you can keep throwing out new points all you want, but thats not going to make you correct in the original question.

Saying or implying that one software has a “principle” risk of vulnerabilities that another software doesn’t is plain and simply wrong.

And that has nothing to do with all the other stuff about layered defence, vpns, enterprise security, chatty protocols or whatever you want to pile on the discusion.

0 comments

rl31mo ago

Your question was this:

>So what’s the difference in risk of ssh software vulns and other software vulns?

For that comparison, the chattiness of their respective protocols was directly relevant.

Likewise complexity: between two highly-audited pieces of software, the silent one that's vastly simpler tends to win from a security perspective.

All of those points seem highly relevant to your question.

>... but thats not going to make you correct in the original question.

If you can elucidate what I said that was incorrect, I'm all ears.

MsurrowOP1mo ago

You are still implying that wireguard are somehow different from ssh in its suceptibilty to vulnerabilities existing or being introduced into its codebase. And it simply is not.

Edit: codebase of ssh/wireguard implementations, just to be clear

rl31mo ago

Yes, the two are very different in that regard.

1 more reply

j / k navigate · click thread line to collapse