(Illustration by Gaich Muramatsu)
On Thu, May 05, 2016 at 01:13:53PM +0200, u-myfx_at_aetey.se wrote: > There is another potential weakness in the way Coda authentication is > being used. When clients talk to servers or servers connect to each > other, they verify that the other party belongs to the correct realm, > but this might happen to be a different server in the same realm. I guess > mixing the server id into the handshake would eliminate this uncertainty. Eh? Server ids should not be exposed like that to begin with. Aside from that a client isn't trying to connect to a server, it is trying to bind to a volume. If you get connected to the the wrong server (how in the world is that even a thing that would 'happen'?) it wouldn't be able to bind to the volume anyway and so the end result is the same without needing to put serverids in the handshake. A client should have no need to know a server id, ever. JanReceived on 2016-05-05 11:25:41