Changes between Version 91 and Version 92 of SftpFrontend


Ignore:
Timestamp:
2017-02-05T12:04:35Z (8 years ago)
Author:
daira
Comment:

Pycrypto is no longer used with recent Twisted

Legend:

Unmodified
Added
Removed
Modified
  • SftpFrontend

    v91 v92  
    55
    66= Security =
     7
     8(Note: the following issue no longer applies with recent versions of Tahoe and Twisted; need version details.)
    79
    810The security of the connection between the SFTP client and gateway is dependent on the !PyCrypto library, which has not been reviewed to the same extent as the pycryptopp library that we use elsewhere in Tahoe-LAFS. In particular, the AES implementation in !PyCrypto might be vulnerable to timing attacks and the RSA implementation in !PyCrypto up to and including at least !PyCrypto v2.4.1 is vulnerable to timing attacks. Either of these could potentially, depending on the situation, allow a remote attacker to break the encryption protecting the SFTP connection between your SFTP client and the Tahoe-LAFS gateway process that is acting as SFTP server. Therefore we do not recommend that you rely on the confidentiality or authentication provided by this SSH connection in the current release.