cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: curl+sftp+man-in-the-middle-attck.

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Fri, 14 Mar 2014 13:55:04 +0100 (CET)

On Fri, 14 Mar 2014, san d wrote:

>> sftp is vulnerable to man-in-the-middle attack.
> At least if there is way to retrieve the remote host key.

So you're top-posting on a reply to yourself about a fictious attack that you
don't describe?

Are you saying that SFTP in itself allows a MITM attack somehow? Please be
more specicific of where you say libcurl has a such problem. Also, bear in
mind that we try to keep security related problems non-public to keep users
safe until we fix and disclose them: http://curl.haxx.se/dev/security.html

> Does the connection establishment/negotiation happen every call to
> curl_easy_perform()?

Unless it can re-use an existing connection, yes.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Received on 2014-03-14

This message: [ Message body ]
Next message: san d: "Re: curl+sftp+man-in-the-middle-attck."
Previous message: san d: "Re: curl+sftp+man-in-the-middle-attck."
In reply to: san d: "Re: curl+sftp+man-in-the-middle-attck."
Next in thread: san d: "Re: curl+sftp+man-in-the-middle-attck."
Reply: san d: "Re: curl+sftp+man-in-the-middle-attck."

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]