Although we (the authors of tinc) have done our best to make tinc as secure as possible, an unfortunate combination of encryption and key exchange techniques has created a hole in at least all versions of tinc >= 0.3, including the current CVS version.

* Exploit:

If somebody can intercept the meta protocol to a host that is running a tinc daemon, it is possible to decrypt the passphrase, which can then be used to gain unauthorised access to the VPN, and become a part of it.

* Workaround:

Add firewall rules so that only trusted hosts can connect to the tinc daemon.

* Fix:

We are currently working on the implementation of a new protocol, with a different authentication scheme. We expect to have a working version in CVS around next weekend, we will release a new version (1.0pre3) when this becomes stable.

Guus Sliepen
Ivo Timmermans