Package: vpnc Version: 0.5.0-1 Severity: minor The security warning in Readme.Debian says that there is nothing to prevent man-in-the-middle attacks and the username and password are always exchanged in an insecure format. However, following the link [1] in that file takes you to a page on Cisco's website. That page claims that the old "Group Authentication" mode is vulnerable, but that "Mutual Group Authentication" is not vulnerable to attacks. Being a reasonably competent user but not an expert in security models, some research using Google and Wikipedia failed to help me discern which document is correct. So here are some questions I'd like answers to, and which I think would make for helpful edits to the readme.
1) Is Cisco lying when they say the new mode is not vulnerable to MITM attacks, or is the Readme.Debian out of date? 2) Is the insecurity a fundamental issue with XAUTH (for example, not using good encryption), or is it a matter that group password vulernability leads to MITM attacks which leads to theft of passwords? 2.5) A related/varient on 2: If I can actually access the internal network after authenticating, does that mean that my password was not stolen, or can an attacker provide me access to the network after stealing my password? 3) The official Cisco client, which I have on my Mac, has three authentication modes. "Group Password" (old and bad, I gather), "Mutual Group Authentication" (Cisco claims is OK), and "Certificate Authentication". Which, if any, of these modes is secure? Does vpnc support all or only some of theme? Thanks, --Itai [1] http://www.cisco.com/warp/public/707/cisco-sn-20040415-grppass.shtml -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (990, 'testing'), (110, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.21cavy1 Locale: LANG=he_IL.UTF-8, LC_CTYPE=he_IL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages vpnc depends on: ii libc6 2.6.1-1+b1 GNU C Library: Shared libraries ii libgcrypt11 1.2.4-2 LGPL Crypto library - runtime libr Versions of packages vpnc recommends: ii iproute 20070313-1 Professional tools to control the ii resolvconf 1.37 nameserver information handler -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
