tags 442629 + pending thanks I've reworded the warning in README.Debian, in the hope that it will be more clear:
(IN)SECURITY WARNING ==================== As described at this URL: <http://www.cisco.com/warp/public/707/cisco-sn-20040415-grppass.shtml>, which references a Bugtraq thread starting at: <http://www.securityfocus.com/archive/1/347351> ("ISSUE 2") simple XAUTH relying only on pre-shared keys ("group password" method), is not a secure way to set up a trusted connection. In addition to giving away the confidentiality of the VPN session (man-in-the-middle attack), this configuration may disclose the user's password and thus enable the attacker to establish future VPN connections on his own and/or access other services protected by that password (identity theft). Cisco has implemented a different authentication mechanism that requires the use of a certificate in the client in order to securely establish the identity of the VPN server ("Hybrid Auth", "Mutual Group Authentication"). This mechanism is not known to be vulnerable. In short: If a simple configuration file with a group key and your password is enough to establish a VPN connection (auth-mode psk), you're vulnerable. Don't use a password that can also be used in other places, and don't assume your connection to be more secure. If however establishing a VPN connection requires a certificate identifying the server in addition to a group key and your password (auth-mode hybrid), you should be safe. Florian -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
