[OpenAFS-devel] openafs - proposed cache security improvement
Jim Rees
rees@umich.edu
Fri, 23 Mar 2007 09:04:40 -0500
Robert Banz wrote:
I know that this would be an "rx" change, but doing something like an
anonymous DH exchange with servers the first time you talk to them
would allow you to create a connection that would be resistant to
this sort of hijacking.
Yes, but if we're going to change something, I think it would be useful for
the client to authenticate the server. If it doesn't, I don't see that
we've really improved the situation.