Security in our products
Bitvise SSH Server and Client have an excellent security track record. Since our software was first released in 2001, we have had the following significant issues:
- A denial-of-service vulnerability in WinSSHD 1.1.
- A potential SFTP privilege escalation in WinSSHD versions up to 4.19.
- A denial-of-service vulnerability in Bitvise SSH Server versions 5.50 through 5.58. The likelihood of arbitrary code execution is not known, but is not excluded.
- A denial-of-service vulnerability in Bitvise SSH Server versions 5.xx and 6.xx up to and including version 6.43. The likelihood of arbitrary code execution is not known, but is not excluded.
Vulnerabilities discovered in other SSH implementations have not applied to ours, as our products are developed independently and share no code base with OpenSSH and others. Our SSH protocol implementation is also known as one of the more stringent ones, on several occasions exposing flaws in other implementations that other products did not detect.
When a security vulnerability is discovered in one of our products, it will be fixed promptly and an upgrade version fixing the flaw will be made available for download. When this happens, customers who have purchased licenses will be notified at the technical contact email address associated with their licenses. To change this email address, log into your License Overview. To be sure, you can also subscribe to our mailing list for security notifications.
How secure is SSH?
When implemented and used properly, SSH v2 offers state-of-the-art cryptographic protection comparable with TLS/SSL on the application level or IPsec on the network level.
Our products provide full SSH2 cryptographic security. Your main care is to use high quality passwords, and to verify an SSH server's public key when first connecting to the server. This is crucial to protect from active man-in-the-middle attacks.
For more information, see also our introduction to SSH.