S/Ident 3.5

I've been meaning to do this all summer, but I finally got around to releasing a new version of S/Ident with warnings about the protocol flaw that we found. Turns out that the S/Ident protocol is inherently (unfixably) vulnerable to an active man-in-the-middle attack, although the vulnerability only allows an attacker to hijack a session, not initiate a new one.

This means that S/Ident is still usable for certain applications in certain network environments, but it's not useful as a general authentication mechanism and a lot more caution should be exercised before relying on it.

I've also fixed the way logging is configured; previously, -d, -l, and -v were a mess and all enabled various different things in odd ways. Now -d controls only the stderr spewage that breaks the protocol, and everything else is available via -l and -v. There are also fewer debugging messages that have never actually been useful.

You can get the latest version from the S/Ident distribution page.

Posted: 2005-10-04 19:01 — Why no comments?

Last spun 2022-02-06 from thread modified 2013-01-04