Terrapin vulnerability mitigation

[dlong500]

What are the plans to mitigate the Terrapin vulnerability? Putty released version 0.80 two days ago with a fix and it appears that BOTH server and client SSH implementations must use the mitigation or the MITM attack is still a threat. As far as I can tell based on the information that has been released this means that using KiTTY without a mitigation patch will allow for this attack even if the SSH server has been patched.

[ann4belle]

[...] As far as I can tell based on the information that has been released this means that using KiTTY without a mitigation patch will allow for this attack even if the SSH server has been patched.

This is somewhat true - one way to partially mitigate this is to go into Connection > SSH > Cipher and move "ChaCha20 (SSH-2 only)" below "-- warn below here --" (be sure to save this in the Default Settings and any other saved sessions). This prevents the use of one of the vulnerable ciphers without warning. As a limitation inherited from PuTTY, the other vulnerable cipher is bundled with other non-vulnerable ones under "AES (SSH-2 only)", and KiTTY can't be configured to warn before using it without also warning before using non-vulnerable ciphers.

Even if you do move both below the warning threshold, running the Terrapin scanner will still produce a positive, as the vulnerable ciphers are still enabled and strict key exchange is unsupported.

Judging by the fact that KiTTY is advertised as "a fork from version 0.76 of PuTTY", and doesn't appear to have incorporated upstream commits since that version (seeing as PuTTY has released 0.77, 0.78, 0.79, and now 0.80), I'm starting to consider moving back to PuTTY myself.

[BurtGummer]

I hope I don't have to go back to putty, but security is more important than usability

[Drakonas]

Is there a reason this is being ignored? This is a serious vulnerability that will deter users from using this software. Why is this not being updated?

[Djfe]

Feel free to update KiTTY yourself. It hasn't been updated for almost a year now. One release tag commit was titled "abandoned"
4404c65

If you require a fix you might have to switch to PuTTY.
Only PuTTY is being maintained atm.
Alternative: disable Encrypt-then-MAC on your ssh servers

[Drakonas]

Feel free to update KiTTY yourself. It hasn't been updated for almost a year now. One release tag commit was titled "abandoned" 4404c65

If you require a fix you might have to switch to PuTTY. Only PuTTY is being maintained atm. Alternative: disable Encrypt-then-MAC on your ssh servers

Apologies. I wasn't aware that development had completely halted... Thanks for letting me know.