On 4/8/2014 10:13 AM, Steffan Karger wrote:
On 08/04/2014 16:04, Mike Tancsa wrote:
How does one attack the client ? In my case, the client only connects
to my servers ? I use a tls-auth key file as well. If I understand
correctly, the scenario would be the attacker would have to have the
tls-auth key file, and then do a man in the middle attack to pretend
its the server's IP, and then coax the client into allocating the 64k
block of memory as described in the above link ?
Correct. But man-in-the-middle can also be something like DNS poisoning.
If you use TLS-auth, the attacker must have previously obtained the TLS-auth
key. When the user base is large, it is not unlikely that one of the users was
compromised and should be considered malicious.
Thanks! Although we are certainly planing to update the vulnerable
clients, this is not quite as dire and urgent as first described in the
popular press-- at least as it applies to my client base. We also use IP
addresses for the target servers in the client configs.
---Mike
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, m...@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
