Security In Our Products

Bitvise SSH Server and Client have an excellent security track record. In a decade since our products were first introduced, there has been a denial-of-service vulnerability in WinSSHD 1.1, and a potential SFTP privilege escalation in WinSSHD versions up to 4.19. Both issues were fixed promptly, as soon as they came to our attention.

Vulnerabilities discovered in other SSH implementations did not apply to ours, as our products were developed independently and share no code base with OpenSSH and others. Our SSH protocol implementation is also known as one of the more stringent ones, on several occasions exposing flaws in other implementations that competitive products did not detect.

When a security vulnerability is discovered in one of our products, it will be fixed promptly and an upgrade version fixing the flaw will be made available for download. When this happens, customers that have purchased licenses will be notified at the technical contact email address associated with their licenses. To change this email address, log into your License Overview. You can also subscribe to our mailing list for security notifications.

How Secure Is SSH2?

The Secure Shell protocol version 2 was designed in response to security faults discovered in SSH version 1. While SSH1 contained weaknesses that allowed an attacker to break the security of the session, the design of SSH2 is much more sophisticated, and no practical attacks are currently known against it. When implemented and used properly, SSH2 offers state-of-the-art cryptographic protection comparable with TLS/SSL on the application level or IPsec on the network level.

Our products provide full SSH2 security out of the box. Your main care is to use high quality passwords, and to verify the fingerprint of the SSH server's public key when first connecting to the server; this protects you from active man-in-the-middle attacks. Otherwise, full cryptographic protection is implicitly provided by our programs as configured by default.

For more information, see also our page about SSH2.