Changes
DyKnow
,→Security
=Security=
In the spring of 2009, the [http://www.security.vt.edu/ IT Security Office] and DyKnow were alerted that the login process was unsafe. Passwords were being sent over the wire as an [[w:MD5|MD5 hash]] with a static [[w:Salt (cryptography)|salt]] and symmetrically encrypted with [[w:Advanced Encryption Standar|AES]], while . While the salted MD5 hash is invulnerable to [[w:Rainbow table|precomputation attacks]], the symmetric encryption was performed with key information shared between all clients, allowing for simple decryption if the traffic could can be intercepted. Within a month the issue was worked aroundat Virginia Tech. Users were instructed to enable SSL for transactions and unencrypted access to the server was shut off. No response from DyKnow is known of.
If it is preferable for the traffic to remain unencrypted for some time, using [[socat]] as a [[Socat#Cleartext_to_SSL_Tunnel_for_DyKnow|plaintext-to-SSL proxy]] allows the final end of the connection to be encrypted but the initial segment to remain unencrypted.