[[!meta author="zarq"]]
[[!meta date="September 10th 2000"]]

Although we (the authors of tinc) have done our best to make tinc as secure as
possible, an unfortunate combination of encryption and key exchange techniques
has created a hole in at least all versions of tinc >= 0.3, including the
current CVS version.

*** Exploit:

If somebody can intercept the meta protocol to a host that is running a tinc
daemon, it is possible to decrypt the passphrase, which can then be used to
gain unauthorised access to the VPN, and become a part of it.

*** Workaround:

Add firewall rules so that only trusted hosts can connect to the tinc daemon.

*** Fix:

We are currently working on the implementation of a new protocol, with a
different authentication scheme. We expect to have a working version in CVS
around next weekend, we will release a new version (1.0pre3) when this becomes
stable.

Guus Sliepen  
Ivo Timmermans