[zeromq-dev] Curve: Potential DoS with error commands ?
Pieter Hintjens
ph at imatix.com
Thu Jul 3 21:24:59 CEST 2014
I guess the error command could be encrypted with the server long term
private key, yes.
On Thu, Jul 3, 2014 at 8:15 PM, Diego Duclos
<diego.duclos at palmstonegames.com> wrote:
> I've been reading up the Curve spec with more detail, and the way the error
> packet currently works caught me by surprise. Couldn't a crafted TCP packet
> with an error command be sent to a client ? Tricking it into thinking the
> server has denied it's credentials when it has done no such thing ?
> This allows someone with the ability to listen in but not block packets to
> do denial of service, which wouldn't be the case if the error packet was
> authenticated & encrypted.
>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
More information about the zeromq-dev
mailing list