[zeromq-dev] Curve: Potential DoS with error commands ?
Diego Duclos
diego.duclos at palmstonegames.com
Fri Jul 4 19:11:52 CEST 2014
Actually, after some more consideration. As CurveZMQ runs over TCP, which
can already be trivially DoS'd using a FIN packet, I don't think adding
authentication will add much value to the protocol.
On Fri, Jul 4, 2014 at 4:34 PM, Goswin von Brederlow <goswin-v-b at web.de>
wrote:
> On Thu, Jul 03, 2014 at 09:24:59PM +0200, Pieter Hintjens wrote:
> > I guess the error command could be encrypted with the server long term
> > private key, yes.
> >
> > On Thu, Jul 3, 2014 at 8:15 PM, Diego Duclos
> > <diego.duclos at palmstonegames.com> wrote:
> > > I've been reading up the Curve spec with more detail, and the way the
> error
> > > packet currently works caught me by surprise. Couldn't a crafted TCP
> packet
> > > with an error command be sent to a client ? Tricking it into thinking
> the
> > > server has denied it's credentials when it has done no such thing ?
> > > This allows someone with the ability to listen in but not block
> packets to
> > > do denial of service, which wouldn't be the case if the error packet
> was
> > > authenticated & encrypted.
>
> What if the error was that the servers public key didn't fit?
>
> MfG
> Goswin
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20140704/e199d4bf/attachment.htm>
More information about the zeromq-dev
mailing list