Security In Our Products

WinSSHD and Tunnelier have an excellent security track record. In more than four years since our products were first introduced, there has been a single denial-of-service vulnerability in WinSSHD 1.1, which was fixed promptly. Vulnerabilities discovered in other SSH implementations did not apply to ours, as our products were developed independently and share no code base with OpenSSH and others. Our SSH protocol implementation is also known as one of the more stringent ones, on several occasions exposing flaws in other implementations that competitive products did not detect.

When a security vulnerability is discovered in one of our products, it will be fixed promptly and an upgrade version fixing the flaw will be made available for download. When this happens, all customers that have purchased licenses will be notified by email to the email address specified when purchasing. If you wish to change this contact address for your organization, please contact us.

How Secure Is SSH2?

The Secure Shell protocol version 2 was designed in response to security faults discovered in SSH version 1. While SSH1 contained weaknesses that allowed an attacker to break the security of the session, the design of SSH2 is much more sophisticated, and no practical attacks are currently known against it. When implemented and used properly, SSH2 offers state-of-the-art cryptographic protection comparable with TLS/SSL on the application level or IPsec on the network level.

Our products provide full SSH2 security out of the box. Your only care is to use a good password, and to verify the fingerprint of the SSH server's public key when first connecting to the server; this protects you from active man-in-the-middle attacks. Otherwise, full cryptographic protection is implicitly provided by our programs as configured by default.

For more information, see also our page about SSH2.