[proposed fix] tinc has a security hole
Guus Sliepen
guus at sliepen.warande.net
Mon Aug 28 16:27:04 CEST 2000
On Sun, 27 Aug 2000, Ivo Timmermans wrote:
[...]
> From now on, everything can be encrypted.
>
> 5 send BASIC INFO
> 6 send BASIC INFO
> 7 send PASSPHRASE
> 8 send PASSPHRASE
> 9 connected connected
These also have to be encrypted, because you are still not sure about the
identity of both sides. So even over the session-encrypted line, you have
to send authentication-encrypted passphrases.
-------------------------------------------
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at sliepen.warande.net>
-------------------------------------------
See also: http://tinc.nl.linux.org/
http://www.kernelbench.org/
-------------------------------------------
---
TINC development list, tinc-devel at nl.linux.org
Archive: http://mail.nl.linux.org/tinc-devel/
More information about the Tinc-devel
mailing list