== The relationship between SSH, SSL, and the Heartbleed bug I will lead with the summary: since the [[Heartbleed bug http://heartbleed.com/]] is a bug in OpenSSL's implementation of a part of the TLS protocol, no version or implementation of SSH is affected by Heartbleed because the SSH protocol is not built on top of TLS. So, there's four things involved here: * [[SSL aka TLS http://en.wikipedia.org/wiki/Transport_Layer_Security]] is the underlying network encryption protocol used for HTTPS and a bunch of other SSL/TLS things. [[Heartbleed http://heartbleed.com/]] is an error in implementing the 'TLS heartbeat' protocol extension to the TLS protocol. A number of other secure protocols are built partially or completely on top of TLS, such as [[OpenVPN http://en.wikipedia.org/wiki/OpenVPN]]. * [[SSH http://en.wikipedia.org/wiki/Secure_Shell]] is the protocol used for, well, SSH connections. It's completely separate from TLS and is not layered on top of it in any way. However, TLS and SSH both use a common set of cryptography primitives such as [[Diffie-Hellman key exchange http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange]], [[AES http://en.wikipedia.org/wiki/Advanced_Encryption_Standard]], and [[SHA1 http://en.wikipedia.org/wiki/SHA-1]]. (Anyone sane who's designing a secure protocol reuses these primitives instead of trying to invent their own.) * OpenSSL is an implementation of SSL/TLS in the form of a large cryptography library. It also exports a whole bunch of functions and so on that do various cryptography primitives and other lower-level operations that are useful for things doing cryptography in general. * OpenSSH is one implementation of the SSH protocol. It uses various functions exported by OpenSSL for a lot of cryptography related things such as generating randomness, but it doesn't use the SSL/TLS portions of OpenSSL because SSH (the protocol) doesn't involve TLS (the protocol). Low level flaws in OpenSSL such as [[Debian breaking its randomness http://www.debian.org/security/2008/dsa-1571]] can affect OpenSSH when OpenSSH uses something that's affected by the low level flaw. In the case of the Debian issue, [[OpenSSH gets its random numbers from OpenSSL SshEncryptionProtection]] and so was affected in [[a number of ways ../linux/DebianSSLConsequences]]. High level flaws in OpenSSL's implementation of TLS itself will never affect OpenSSH because OpenSSH simply doesn't use those bits of OpenSSL. For instance, if OpenSSL turns out to have an SSL certificate verification bug (which happened recently with other SSL implementations) it won't affect OpenSSH's SSH user and host key verification. As a corollary, OpenSSH (and all SSH implementations) aren't directly affected by TLS protocol attacks such as [[BEAST http://en.wikipedia.org/wiki/Transport_Layer_Security#BEAST_attack]] or [[Lucky Thirteen http://en.wikipedia.org/wiki/Lucky_Thirteen_attack]], although people may be able to develop similar attacks against SSH using the same general principles.