Jump to content

Problems in security in PE in utorrent and Bittorrent


drkp

Recommended Posts

Posted

I read http://www.tcs.hut.fi/Publications/bbrumley/nordsec08_brumley_valkonen.pdf

In this paper tell about weakness in utorrent about PE

I take this for this paper, page 10:

Encryption downgrade. We tested the clients in two directions: the custom client acting as party A (initiating connections, client) and as party B (receiving connections, server). In both scenarios, the real client was set to allow only encrypted (i.e. RC4) connections. Our custom client then attempted to either provide or select (ignoring the other party's CryptoProvide field) plaintext only; according to the MSE specification, it is up to the client to drop the connection in these cases, although for this attack scenario, as previously mentioned it would be much more convenient to prevent the attack with the use of a MAC. The clients μTorrent and BitTorrent were found to be vulnerable; we were unable to find a difference between the "Enabled" and "Forced" for the "Outgoing" option

of Protocol Encryption. KTorrent, Azureus, and BitComet all rejected selecting an unsupported encryption method, and hence were not found to be vulnerable.

In the paper say some weakness only for utorrnet and the official bittorrent, I like to knowh if this weakness exists today.

But I know for this paper that MSE/PE (Message Stream encryption/Protocol Encription) about Torrent fingerprint leakage there isn't solution by now, but utorrent have another weak that is Skey Recovery weak in page 10, table 2.

But some weakness can be jumped using proxys as TOR networks???

------

Another question,

In other Post, I ask about why PE is'nt enable by default, I know that is in part by compatibility. But when is enable also is compatible with other clients that don't use PE.

In other post, someone said that utorrent has passive support for protocol encription, I know that in PE disable mode, utorrent has support for incomming conections, but not for outgoing connections, it's true?

I think that is neccesary that utorrent has passive support for protocol encription in outgoing as incomming connections, because PE is not too secure, but will be more fast for the people that only use protocol encription in force mode for our ISP

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...