X-Git-Url: https://www.tinc-vpn.org/git/browse?p=tinc;a=blobdiff_plain;f=README;h=127cde2e78758d1d61223c63fd580777db815578;hp=02c2cab585a57afc839c0881c8c41b3e34572058;hb=4887f56e565727c6ebd5a8a8911d1aa260f0ce6f;hpb=3ca724e191958ea2ba63ef10eeef7eb51b5dd230 diff --git a/README b/README index 02c2cab5..127cde2e 100644 --- a/README +++ b/README @@ -1,7 +1,7 @@ -This is the README file for tinc version 1.0.34. Installation +This is the README file for tinc version 1.0.36. Installation instructions may be found in the INSTALL file. -tinc is Copyright (C) 1998-2018 by: +tinc is Copyright (C) 1998-2019 by: Ivo Timmermans, Guus Sliepen , @@ -41,6 +41,15 @@ issues are being addressed in the tinc 1.1 branch. The Sweet32 attack affects versions of tinc prior to 1.0.30. +On September 6th, 2018, Michael Yonly contacted us and provided +proof-of-concept code that allowed a remote attacker to create an +authenticated, one-way connection with a node, and also that there was a +possibility for a man-in-the-middle to force UDP packets from a node to be sent +in plaintext. The first issue was trivial to exploit on tinc versions prior to +1.0.30, but the changes in 1.0.30 to mitigate the Sweet32 attack made this +weakness much harder to exploit. These issues have been fixed in tinc 1.0.35. +The new protocol in the tinc 1.1 branch is not susceptible to these issues. + Cryptography is a hard thing to get right. We cannot make any guarantees. Time, review and feedback are the only things that can prove the security of any cryptographic product. If you wish to review @@ -50,7 +59,7 @@ tinc or give us feedback, you are strongly encouraged to do so. Compatibility ------------- -Version 1.0.31 is compatible with 1.0pre8, 1.0 and later, but not with older +Version 1.0.35 is compatible with 1.0pre8, 1.0 and later, but not with older versions of tinc. Note that since version 1.0.30, tinc requires all nodes in the VPN to be compiled with a version of LibreSSL or OpenSSL that supports the AES256 and SHA256 algorithms.