(Illustration by Gaich Muramatsu)
On Thu, May 05, 2016 at 10:49:19AM -0400, Greg Troxel wrote: > Last I looked, there was the possibility of some fs data to travel > unencrypted if it was not associated with a logged-in user. This is in > my view totally not ok. It is encrypted but there is no shared secret between the client and the server during the connection setup handshake, so the session key is encrypted with a commonly known 'null key'. If you capture the INIT2 packet from the server to the client you can trivially decrypt it and get the session key. But.. why would anybody go through that amount of trouble if he can connect to the server without authentication himself and get those same files anyway? Clearly their ACL must allow System:AnyUser access, otherwise the user would have had to be logged-in. JanReceived on 2016-05-05 12:10:27