Serious Man in the Middle vulnerability - Does not warn if server keys change

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Set up tunnel settings and connect.
2. Regenerate server's SSH keys.
3. Reconnect to tunnel.

What is the expected output? What do you see instead?

Expect app to issue strong warning about different SSH keys. Instead it accepts 
the new keys and connects regardless.

What version of the product are you using? On what operating system?

1.5.5beta on Android 2.2

Please provide any additional information below.

This is an extremely serious vulnerability. Anybody who can observe your 
connection (ie. anybody if you're on public wifi) can easily Man in the Middle 
your tunnel and eavesdrop on or modify all your traffic. They would also 
intercept your SSH credentials!

Pretty fundamental for an app designed to protect your privacy!

Original issue reported on code.google.com by jon.kn...@gmail.com on 8 Sep 2011 at 6:43

[GoogleCodeExporter]

this feature will be added in 1.5.3, please help us to test it. the apk is 
attached
P.S. we only provide supports for the stable branch

Original comment by max.c...@gmail.com on 9 Sep 2011 at 9:52

• Changed state: Accepted

Attachments:

• sshtunnel-1.5.3.apk

[GoogleCodeExporter]

The APK attached above seems to work fine. Good work :)

Original comment by jon.kn...@gmail.com on 10 Sep 2011 at 8:54

[GoogleCodeExporter]

Original comment by max.c...@gmail.com on 18 Jan 2012 at 6:21

• Changed state: Fixed