In part, this is why I've submitted this again. There have been previous discussions, but comments there are closed, and many people aren't aware of it, so I thought it was a good opportunity to allow those "in the know" to tell us if anything has changed, and if it's fit for purpose.

One of them, besides the elite crypto issues, is that mosh requires having a wide range of UDP ports open to function properly. Many admins are not willing to do that.

You can pick a single UDP port and use `mosh -p`.

Absent a single privileged moshd, though, every user's mosh-server process needs to have its own UDP port, hence the default behavior. If you want to assign yourself a UDP port and open that single port on the firewall, you can, though.

which is exactly the issue.

Well, it's been a while with no security issues, hasn't it? That's mostly how software ends up being considered secure.

No, I think having a high quality secure design and a security audit by examining code is how software is considered secure. OpenBSD audits every line of code that it ships, and the last remote root exploit I could find was 2007. DJB's stuff (qmail, djbdns) are designed to be secure from the ground up, and I believe are considered to be secure. (Opinions vary about other aspects of his stuff, though.) "It's been a while since I heard of a virus on Mac OS" is how Mac OS is often considered secure, yet the list of remote exploits is rather large [2], compared to OpenBSD's (exploit-db.com doesn't even know of the 2007 one, but Mac OS has more remote exploits than OpenBSD has local explots [3]!)

[1] http://www.coresecurity.com/content/open-bsd-advisorie [2] http://www.exploit-db.com/remote/?p=osX [3] http://www.exploit-db.com/platform/?p=openbsd

Have you actually seen the OSX exploits listed? It's to do with .exe binaries or Internet Explorer that has nothing to do with OSX.