Security in our products
Bitvise SSH Server and Client have an excellent security track record. Since our software was first released in 2001, we have found occasional issues. All of these were fixed promptly as they came to our attention. The security of our software is our first priority, followed by reliability, followed by performance and features.
Vulnerabilities specific to other SSH implementations tend to not apply to ours. Our software is developed independently and does not share code with OpenSSH and other implementations. Our SSH protocol implementation is one of the more stringent ones, on several occasions exposing flaws in other implementations.
When a security vulnerability is discovered in one of our products, it will be fixed promptly and a new version fixing the flaw will be made available for download or automatic update. When this happens, customers who have purchased licenses will be notified at the technical contact email address associated with their licenses. To change this email address, log into your License Overview. To be sure, you can also subscribe to our mailing list for security notifications.
How secure is SSH?
When implemented and used properly, SSH v2 offers state-of-the-art cryptographic protection comparable with TLS/SSL on the application level or IPsec on the network level.
Our products provide full SSH2 cryptographic security. Your main care is to properly configure access permissions; use high quality passwords; and to verify an SSH server's public key when first connecting to the server. Verifying the host key is crucial to protect from active man-in-the-middle attacks.
For more information, see also our introduction to SSH.
Bitvise's software development lifecycle
Bitvise is a small company that has always had a single-digit number of developers. Our development can therefore involve less formality than larger teams, and yet can deliver a greater quality. The following are the main ways we ensure that the security of our software is high and continues to improve:
We keep a small team of experienced developers, minimizing turnover so that we preserve the lessons we encountered.
We address any new issues comprehensively and in-depth, so that not only a mistake is fixed, but to also improve the processes that allowed it.
We hire rarely, and the work of any new hires is carefully vetted. We use C++, which is a complex language that requires great skill and discipline to use safely. We ensure that any code we use is of a high quality, and that anyone we hire has such skill.
The latest Bitvise software versions are therefore created by developers more experienced than 10 or 15 years ago, using processes more stringent than we had then. Our existence is possible because our software was recognized as dependable in its early versions to begin with. Over time, the issues we find have also become less frequent and less severe.
We believe that our latest versions are the most secure versions we have released, and we continue to work to meet and exceed this.
"We have a security questionnaire. Please fill it out?"
A questionnaire cannot tell you if our software is secure. It tells you if Bitvise is aware of "industry guidelines" and "best practices," and if we claim to be compliant.
Security is our top priority. But compliance is the opposite of security. Security protects your interests. When you comply, you trust instructions from someone else, who you assume is an expert. You trust they are pure and impartial.
You cannot assume this. Uncritical compliance is an existential threat. Blind trust in "standards," "guidelines," "experts" and "authorities" is an open vulnerability that has made of us easy pickings.
This is not theoretical. We have all of the below – the fruits of a century of conscious abuses of compliance:
Medicine that harms, under the pretense of healing.
News that misinforms, under the pretense of reporting.
Shows that indoctrinate, under the pretense of entertaining.
Movements that divide, under the pretense of uniting.
Governments that abuse, under the pretense of representing.
Banks that impoverish, under the pretense of enriching.
Smartphones that surveil, under the pretense of convenience.
Technologies that control, under the pretense of empowering.
Science that hides truth, under the pretense of discovering.
Schools that mislead and confuse, under the pretense of educating.
Religions that endorse materialism, under the pretense of spirituality.
Our entire society has been compromised under a century-long plan to achieve control of every living being. The harm already done is going to be extremely painful. Not in some intangible way, but in millions of maimed and dead. Not tomorrow, but right now. This has affected millions already.
This is made possible by people receiving questionnaires and complying. So, apologies. No thank you.
If you think there are best practices we should follow, please feel free to send a suggestion.