huokedu / sshtunnel

Automatically exported from code.google.com/p/sshtunnel
GNU General Public License v3.0
0 stars 0 forks source link

Serious Man in the Middle vulnerability - Does not warn if server keys change #75

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Set up tunnel settings and connect.
2. Regenerate server's SSH keys.
3. Reconnect to tunnel.

What is the expected output? What do you see instead?

Expect app to issue strong warning about different SSH keys. Instead it accepts 
the new keys and connects regardless.

What version of the product are you using? On what operating system?

1.5.5beta on Android 2.2

Please provide any additional information below.

This is an extremely serious vulnerability. Anybody who can observe your 
connection (ie. anybody if you're on public wifi) can easily Man in the Middle 
your tunnel and eavesdrop on or modify all your traffic. They would also 
intercept your SSH credentials!

Pretty fundamental for an app designed to protect your privacy!

Original issue reported on code.google.com by jon.kn...@gmail.com on 8 Sep 2011 at 6:43

GoogleCodeExporter commented 9 years ago
this feature will be added in 1.5.3, please help us to test it. the apk is 
attached
P.S. we only provide supports for the stable branch

Original comment by max.c...@gmail.com on 9 Sep 2011 at 9:52

Attachments:

GoogleCodeExporter commented 9 years ago
The APK attached above seems to work fine. Good work :)

Original comment by jon.kn...@gmail.com on 10 Sep 2011 at 8:54

GoogleCodeExporter commented 9 years ago

Original comment by max.c...@gmail.com on 18 Jan 2012 at 6:21