From owner-freebsd-net@FreeBSD.ORG Fri Apr 5 08:49:38 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 241EB706 for ; Fri, 5 Apr 2013 08:49:38 +0000 (UTC) (envelope-from andre@freebsd.org) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.freebsd.org (Postfix) with ESMTP id 8F73B911 for ; Fri, 5 Apr 2013 08:49:37 +0000 (UTC) Received: (qmail 14186 invoked from network); 5 Apr 2013 09:57:49 -0000 Received: from c00l3r.networx.ch (HELO [127.0.0.1]) ([62.48.2.2]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 5 Apr 2013 09:57:49 -0000 Message-ID: <515E901A.9010304@freebsd.org> Date: Fri, 05 Apr 2013 10:49:30 +0200 From: Andre Oppermann User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130307 Thunderbird/17.0.4 MIME-Version: 1.0 To: Kevin Day Subject: Re: Syncookies break with Windows 8 References: <510C4424.4030701@networx.ch> <510C4B17.4040509@freebsd.org> <3DABEC7E-78B8-49DE-9F76-0B96019E8424@your.org> In-Reply-To: <3DABEC7E-78B8-49DE-9F76-0B96019E8424@your.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Apr 2013 08:49:38 -0000 On 04.04.2013 23:52, Kevin Day wrote: > > On Feb 1, 2013, at 5:09 PM, Andre Oppermann wrote: >> >> I'm working on a solution. Have to make sure that the chance to >> crack a reduced cookie during its 30 seconds lifetime isn't too >> high. That means involving our resident crypto experts for >> verification. > > > Hey, Andre! > > I know the security people have been pretty busy, but has there been > any progress on this? We're still running into the occasional complaint > with this issue. Yes, there has been progress on a good fix for the issue. I've also got excellent feedback from a couple of people on the cryptographic properties of the new cookie approach. I shall be able to post a patch for testing in the next days. -- Andre