At 20:21 01/12/2004 +0100, Bj�rnke von Gierke wrote:
Dear Frank, Richard
You both raise valid concerns. However there is barelay a chance getting someone to interrupt your communication. In fact, I have yet to hear of such an attempt executed, anywhere (besides rumors about the US government). While direct exploits of programmatically errors I have heard of quite often.
There have been attempts to hijack TCP connections in the course of them being opened. There was a spate of them around ten years ago, aimed at the backbone routers in Europe; I've never heard of any being successful, but there have certainly been attacks aimed at that vulnerability.
The chatrev protocol is strict. The client ignores every malformed message, the server disconnects you if you send wrong data. Of course I can not guarantee the integrity of the underlying TCP/IP stack, but then who can? There is a certain degree of trust involved. Chatrev users trust me, as I both "made" the protocol, and I do host the server. I trust RunRev to deliver a secure internet expirience. They trust the people that made the tcp implementation they use. And so on.
If you both are so concerned about the security of the Chatrev users, why don't you join us in the chat, or try to dissect the protocol and give us some security tips?
I'd agree that this is a minimal risk, but if you decided it was worth worrying about, there are some possibilities ..... ranging from a simple password which must be supplied in the start of the transfer, through to md5 keys (a la rfc 2385, though implemented in the application since most TCPs won't support it).
The most interesting would be to simply pass the file transfer via the server. This would avoid any client ever having to "accept" connections. This would have the added side benefit that it would allow two clients, both behind firewalls and/or NATs to transfer files, which they probably cannot do directly.
-- Alex. P.S. I will be joining the chat ... any particular time(s) you tend to "meet" ?
_______________________________________________ use-revolution mailing list [EMAIL PROTECTED] http://lists.runrev.com/mailman/listinfo/use-revolution
