I've been reading up the Curve spec with more detail, and the way the error packet currently works caught me by surprise. Couldn't a crafted TCP packet with an error command be sent to a client ? Tricking it into thinking the server has denied it's credentials when it has done no such thing ? This allows someone with the ability to listen in but not block packets to do denial of service, which wouldn't be the case if the error packet was authenticated & encrypted.
_______________________________________________ zeromq-dev mailing list [email protected] http://lists.zeromq.org/mailman/listinfo/zeromq-dev
