< svnlog 1.7 | Russ Allbery > Eagle's Path > October 2005 | WebAuth 3.3.0 > |
I've been meaning to do this all summer, but I finally got around to releasing a new version of S/Ident with warnings about the protocol flaw that we found. Turns out that the S/Ident protocol is inherently (unfixably) vulnerable to an active man-in-the-middle attack, although the vulnerability only allows an attacker to hijack a session, not initiate a new one.
This means that S/Ident is still usable for certain applications in certain network environments, but it's not useful as a general authentication mechanism and a lot more caution should be exercised before relying on it.
I've also fixed the way logging is configured; previously, -d, -l, and -v were a mess and all enabled various different things in odd ways. Now -d controls only the stderr spewage that breaks the protocol, and everything else is available via -l and -v. There are also fewer debugging messages that have never actually been useful.
You can get the latest version from the S/Ident distribution page.
Posted: 2005-10-04 19:01 — Why no comments?
< svnlog 1.7 | Russ Allbery > Eagle's Path > October 2005 | WebAuth 3.3.0 > |