johan beisser wrote:
Given enough time and enough response packets you might be able to figure out which two letter commands were given at any given time. Section 6 of RFC4253[1] should provide some level of masking to which character is typed outbound to the remote system and more than bit on the return, and Eve could - possibly - correlate which two packets represented which characters through inference based on the number and frequency of return packets and other events (fresh outbound ssh, etc).
What about some known patterns like "screen (-r)" from the start of every session for example in an IRC shell where most people do that first? Could it be used with lots of data to crack open future sessions?
-- Toni Spets
